SSO SAML Authentication
SSO SAML Authentication
As of v1.0.10, the platform supports SAML 2.0 as an SSO authentication method alongside the existing OpenID Connect (OIDC) flow. This allows organizations using enterprise identity providers to authenticate learners without requiring separate platform credentials.
Supported Identity Providers
Any SAML 2.0-compliant identity provider is supported. Commonly used providers include:
- Okta
- Microsoft Azure Active Directory (Azure AD)
- Active Directory Federation Services (ADFS)
How It Works
The SAML authentication flow is handled entirely through the Auth.js v5 pipeline:
- SP-Initiated Flow — The learner attempts to access a course or protected resource. If not authenticated, they are redirected to the configured IdP login page.
- IdP Authentication — The learner authenticates with their organization's identity provider.
- SAML Assertion — The IdP posts a signed SAML assertion back to the platform's Assertion Consumer Service (ACS) endpoint.
- Assertion Parsing — The platform parses and validates the SAML assertion, verifying the signature and extracting identity attributes.
- Attribute Mapping — SAML attributes (e.g.
email,displayName, role claims) are mapped to the platform's internal user profile fields. - Session Creation — A platform session is created using the same Auth.js session pipeline used for OIDC, providing a consistent experience across authentication methods.
SAML vs. OIDC
| Feature | SAML 2.0 | OIDC |
|---|---|---|
| Protocol | XML-based assertions | JWT-based tokens |
| Common IdPs | Okta, Azure AD, ADFS | Google, Auth0, Okta, Azure AD |
| Flow | POST-binding via browser | Redirect with token exchange |
| Session creation | Auth.js v5 pipeline | Auth.js v5 pipeline |
Both authentication methods share the same session management and downstream access control logic. Per-tenant configuration allows each organization to use either SAML, OIDC, or both independently.
Attribute Mapping
SAML attributes from the IdP are automatically mapped during assertion processing. The following standard attributes are supported:
| SAML Attribute | Platform Field |
|---|---|
NameID / email | User email address |
displayName / cn | User display name |
givenName | First name |
sn | Last name |
| Custom role claim | Tenant role assignment |
Custom attribute mappings can be configured per tenant to accommodate non-standard IdP claim schemas.
Relationship to OIDC
The SAML flow is additive — existing OIDC configurations are not affected by this release. Both protocols are supported concurrently, and tenants can configure one or both depending on their identity infrastructure.