SSO Provider Configuration
SSO Provider Configuration
Version 1.0.2 introduces per-tenant SSO provider configuration storage. Each organization can connect its own SAML or OIDC identity provider (IdP) independently, allowing learners to authenticate using their existing corporate credentials rather than managing a separate set of platform credentials.
Overview
SSO provider configurations are scoped to individual organizations. This means:
- Each tenant stores and manages its own IdP settings in full isolation.
- Changes to one organization's SSO configuration have no effect on any other tenant.
- Multiple protocols are supported: SAML 2.0 and OIDC (OpenID Connect).
Supported Configuration Fields
SAML
| Field | Description |
|---|---|
| Entity ID | The unique identifier for your organization's SAML Service Provider or Identity Provider. |
| Metadata URL | The URL pointing to your IdP's SAML metadata XML document. |
| Certificate Fingerprint | The fingerprint of the X.509 certificate used to verify SAML assertions from your IdP. |
| Attribute Mappings | Rules that map SAML assertion attributes to platform user fields (see below). |
OIDC
| Field | Description |
|---|---|
| Metadata URL | The OIDC discovery document URL (typically /.well-known/openid-configuration). |
| Attribute Mappings | Rules that map ID token / userinfo claims to platform user fields (see below). |
Attribute Mappings
Attribute mappings let you control how identity provider claims or assertions translate into platform user properties. For example, you might map your IdP's mail attribute to the platform's email field, or a custom department claim to a platform role.
This flexibility ensures the platform can integrate with a wide range of identity providers regardless of their specific claim schemas.
Multi-Tenant Isolation
All SSO provider configurations are stored and evaluated in a strictly tenant-scoped context:
- No configuration data is shared across organizations.
- An organization's IdP settings are only accessible and applied within that organization's context.
- Adding, updating, or removing an IdP configuration for one tenant does not trigger any changes for other tenants.
Supported Identity Providers
Any standards-compliant SAML 2.0 or OIDC provider can be configured, including (but not limited to):
- Okta
- Microsoft Azure Active Directory / Entra ID
- Google Workspace
- Auth0
- OneLogin
- PingIdentity