All Docs
Getting StartedCSI Teachable Replacement AppUpdated March 13, 2026

Introducing SAML 2.0 SSO — Enterprise Authentication for Every Learner

Introducing SAML 2.0 SSO — Enterprise Authentication for Every Learner

Release: v1.0.10

We're adding SAML 2.0 support to the platform's SSO authentication layer. Starting with v1.0.10, organizations using enterprise identity providers like Okta, Azure AD, and ADFS can authenticate their learners directly through their existing IdP — no additional credentials required.

Why SAML?

Many large organizations standardize on SAML 2.0 for enterprise SSO, particularly those running Microsoft-centric infrastructure or regulated environments where centralized identity control is a compliance requirement. By supporting SAML alongside our existing OIDC integration, we now cover the full spectrum of common enterprise identity patterns.

What's in This Release

SAML 2.0 Authentication

Learners at SAML-enabled organizations are redirected to their identity provider at login. After authenticating, the IdP posts a signed SAML assertion back to the platform. We parse the assertion, validate the signature, extract identity attributes, and create a session — all without the learner needing to interact with a separate registration or password flow.

Unified Auth Pipeline

SAML authentication runs through the same Auth.js v5 pipeline as OIDC. This means consistent session handling, the same token lifecycle, and a single place to reason about authentication state regardless of which protocol a tenant uses.

Automatic Attribute Mapping

Standard SAML attributes — email, display name, given name, surname — are mapped automatically to platform user profiles. Custom claim schemas are also supported for organizations with non-standard attribute configurations.

No Impact on Existing OIDC Tenants

This release makes no changes to the existing OIDC flow. Tenants already using OIDC-based SSO will notice nothing different. SAML and OIDC are configured independently per tenant.

Getting Started with SAML SSO

To enable SAML SSO for your organization:

  1. Obtain your IdP metadata XML or the individual SSO URL, entity ID, and signing certificate from your identity provider.
  2. Configure your IdP with the platform's ACS (Assertion Consumer Service) URL and SP Entity ID — available in your tenant's SSO settings.
  3. Map any custom SAML attributes to the expected platform fields if your IdP uses non-standard claim names.
  4. Test the flow using an IdP-initiated or SP-initiated login before enabling for all users.

For a full walkthrough, see the SSO SAML Authentication feature guide.