SSO (Single Sign-On) is a service that allows users to log in to different platforms using a single set of credentials. Your users can use their existing login system of your built-in website under one set of identity-verifying user credentials and securely access your LearnWorlds school.
By centralizing authentication processes, SSO reduces password fatigue, minimizes the risk of credential misuse, and simplifies the user experience, ultimately improving overall operational efficiency.
LearnWorlds supports the activation of multiple custom SSO solutions simultaneously. The available SSO options include:
- OpenID Connect
- SAML 2.0 (Security Assertion Markup Language)
- Custom SSO
- WordPress SSO Plugin
For more detailed information, please refer to this article.
This article covers the basics of SAML, its integration with LearnWorlds, and available Identity Providers (IDPs), and provides guidance on setting up SAML with various identity providers.
What is SAML?
Security Assertion Markup Language (SAML) 2.0 is one of the most widely used open standards for authentication and authorization between multiple parties. It’s one of the protocols that give users the single sign-on (SSO) experience for applications.
At its core, Security Assertion Markup Language (SAML) 2.0 is a means to exchange authorization and authentication information between services. SAML is frequently used to implement internal corporate single sign-on (SSO) solutions, where the user logs into a service that acts as the single source of identity and then grants access to a subset of other internal services.
Advantages:
- Single source of identity.
- Enforce consistent authentication. SAML/SSO can be used to enforce a consistent method of authentication across all internal corporate services, like multifactor authentication and session duration.
How does SAML work with your school?
Once you set up SAML SSO with your existing IDP, your users will be able to single sign-on to your school via your Identity Provider (IDP).
For instance, we have set up the following demo school to use Okta as IDP:
When the user clicks on Sign in and they are not already logged in to their Okta account then they will be redirected to Okta in order to be authenticated:
Okta will redirect them back & log in to the LearnWorlds school page upon successful authentication. If the user is already logged in to their Okta account, then they will be automatically logged in to Learnworlds.
Set up SAML
You may set up SAML practically with any Identity Provider (IDP). IDPs will give you the option to create an authentication application. You will need to provide the necessary information from your school (the Service Provider) and gather the necessary information from the IDP’s authentication application.
We have already created detailed guidelines for the following IDPs:
If you have another IDP, then you can refer to your IDP documentation and go to our setup page.
You can allow your users to sign in/up in your school using the SAML solution of their preference without re-entering their username and password. To set up SAML, go to your LearnWorlds school and:
1. Navigate to Website → Website settings → Authentication and select SAML.
2. Add a new SAML
3. Activate SAML and add a name for this SAML solution.
4. Once you set up this information on your IDP and create the authentication application, you will need to update your school’s setup with the necessary information from your IDP:
a. IDP Identifier (Entity ID): this is the given IDP id for the created application.
b. Sign-on URL: this is the URL that the school will call to authenticate the user via the IDP.
c. Single Logout URL: If you implement a single logout, you may provide this URL. When the user logs out from Learnworlds, the system will call this URL, and the IDP will log out the user from all other Services.
d. Identity Provider Certificate: you need to pass the public certificate to authenticate the call.
e. Service Provider (SP) URL: it is your school SAML Service Provider (sp) URL that the IDP will use to identify your service.
f. Assertion Consumer Service (ACS) URL: this is the “Reply URL” that the IDP will use to inform your school (SP) if the user has been authenticated successfully.
g. Single Logout URL: The URL that will be used by the identity provider to inform the service provider (your school) in case the user should be logged out; please paste this value to your identity provider, if needed.
h. Create User: This function adds a new user to the school if a user with this email does not already exist.
5. Click on Create to save your settings and you are all set. Your users may now Single Sign-On by using your favorite IDP.
If you're using SAML as an authentication method, you must change the Site Navigation settings in the Payment Flow section for Logged-out users, as they will need to sign up or log in before proceeding to the payment page.
Also, you need to ensure that in all Payment Sections of your school's pages, 1-click Sales funnels, or the Payment Page of your school , the Sign in/up form option is set to hide since the user will not be able to sign in/up via the Learnworlds system.
- If you set up SAML and disable the LearnWorlds login, all the users will be redirected to the SSO provider to authenticate, LearnWorlds passwords will no longer be valid. The users need to exist or sign up with the SSO authentication provider. The change of the authentication provider will only change the authentication mechanism, all the user data as well as their roles (admin, instructor, etc.) will be intact.
- In case you misconfigure the custom SSO setup and this is the only available authentication mechanism, then only the Learnworlds School Owner account will be able to sign in to your school via our Learnworlds account sign-in page (https://account.learnworlds.com/login)
- The SSO mechanism uses the user’s email address to identify the user (unique key); therefore, to change the user's email address, you need to manually update the new email both in your school and on your IDP.
Furthermore, you may use the bulk import (and enroll) functionality in case you need to import users that already exist in your SSO provider.
- If you revert to LearnWorlds authentication, users created via the SSO authentication will need to create a new password. Passwords can be changed:
- By the user via the forgot password mechanism
- By the admin reset and/or update password mechanisms
- The LearnWorlds password update/reset functionality as well as sign-up are only available for the Default LearnWorlds Authentication mechanism. Any other SSO authentication mechanisms will need to handle these functionalities.
- The built-in Affiliate Management program can not be used for users who use SSO providers to sign in
- If you want to use more than three custom SSO, SAML, or OpenID solutions in total, please contact us at [email protected]. In case you are on the Learning Center plan you can also add 3 more by purchasing our scale package.