All Docs
FeaturesCSI Teachable Replacement AppUpdated March 13, 2026

Introducing SSO via OIDC: Learners Sign In With Their Own Identity Provider

Introducing SSO via OIDC: Learners Sign In With Their Own Identity Provider

Release v1.0.8

We are pleased to announce that Single Sign-On (SSO) using the OpenID Connect (OIDC) protocol is now available across the platform, powered by Auth.js v5.

This is a foundational milestone for the platform's B2B multi-tenant architecture. Organisations that deliver courses to their members no longer need to ask learners to create and manage a separate set of credentials. Instead, learners authenticate directly through their existing identity provider — whether that's Okta, Microsoft Entra ID, Google Workspace, Keycloak, or any other OIDC-compliant system — and land inside the platform with a fully verified session.

The Problem This Solves

In a B2B context, learners are typically employees or members of an organisation that already manages their identity centrally. Asking those learners to register a new account on a third-party learning platform creates friction, increases support overhead (forgotten passwords, stale accounts), and fragments the organisation's identity governance.

With OIDC-based SSO, the organisation remains in full control of who can access the platform. Access is granted and revoked through the same IdP the organisation already uses for everything else.

How the Flow Works

When a learner navigates to their organisation's sign-in URL, the platform detects the organisation from the subdomain or URL slug and dynamically resolves the correct OIDC provider configuration for that tenant. The learner is redirected to their IdP, signs in with their existing credentials, and is returned to the platform with a verified, organisation-scoped session.

The entire flow follows the standard OIDC authorisation code flow — there is nothing proprietary or non-standard about the implementation, which means it works out-of-the-box with every major identity provider.

Dynamic, Multi-Tenant Provider Resolution

One of the more technically significant aspects of this release is that OIDC provider configurations are loaded dynamically at request time. When a new organisation is onboarded, their OIDC configuration is registered in the platform and becomes active immediately — no redeployment, no static configuration changes. Each organisation's provider is completely isolated from every other tenant.

This approach scales cleanly as the number of organisations on the platform grows.

What This Means for Organisations

  • No new credentials to manage — learners use the accounts they already have.
  • Access control stays in one place — provision and deprovision learners through your existing IdP.
  • Compatible with your existing IdP — any OIDC-compliant provider is supported.
  • Strict tenant isolation — sessions are scoped to your organisation; there is no cross-tenant data exposure.

Getting Started

To enable SSO for your organisation, register your OIDC provider configuration with the platform (Issuer URL, Client ID, and Client Secret), and ensure the platform's callback URL is registered as an allowed redirect URI with your IdP. See the SSO OIDC Authentication Flow documentation for full setup details.

Released in v1.0.8. See the Changelog for the full release history.