Every SSO path we support, with the technical details.

About: SSO deployment

This is the technical page your IT team wants. It covers the supported protocols, what we need from your identity provider, and what deployment looks like from start to finish. Non-technical readers may prefer the institutions hub.

Supported protocols

• SAML 2.0, tested against Shibboleth, Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace SAML, OneLogin, Ping Identity. We are the Service Provider; you are the Identity Provider.
• OIDC, tested against the same IdPs plus Keycloak.
• ClassLink (K-12). OIDC through ClassLink's authentication broker, with ClassLink Roster Server integration for roster sync.
• Clever (K-12). Clever SSO (OIDC) plus Clever Secure Sync for roster sync.
• LTI 1.3, as part of the fall 2026 native LMS integration; LTI 1.3 carries authentication, so a separate SSO is not required for in-LMS use.

What we need from your IdP

For SAML:

• Entity ID, SSO endpoint (HTTP-POST binding preferred), and X.509 signing certificate.
• Required attributes: NameID (persistent, institution-scoped), email, givenName, sn, and one of role or eduPersonAffiliation (to distinguish student/teacher/admin).
• Optional attributes: eduPersonPrincipalName, ou (for department-level segmentation), dateOfBirth or grade (to drive COPPA under-13 mode in K-12).

For OIDC: client ID / client secret provisioned on your side, redirect URI we provide, and the same attribute mapping via scopes/claims.

Roster sync

Roster sync is optional. With sync enabled, teachers see their assigned class rosters inside bulk mode, and per-class detection thresholds can be set. We support:

• OneRoster 1.1 (REST or CSV) for higher-ed and K-12.
• Clever Secure Sync for Clever customers.
• ClassLink Roster Server for ClassLink customers.
• SCIM 2.0 for general-purpose user provisioning, primarily for higher-ed.

Deployment timeline

1. Week 1: kickoff call with your IT lead, exchange IdP metadata, agree on attribute mapping.
2. Week 2: SSO test with a small pilot group. We send you a signed-in test account, you verify attributes arrived intact.
3. Week 3: roster sync (if enabled) and pilot-school rollout.
4. Weeks 4–6: broad rollout, training, teacher-admin panel handoff.

For institutions already on ClassLink or Clever with a vanilla attribute set, the timeline compresses to 7–10 business days.

Security controls

• SAML assertions must be signed. Encrypted assertions are supported and recommended.
• Session length is configurable; default is 8 hours for teachers, 4 hours for students.
• MFA enforcement is delegated to your IdP, we will honor any MFA assertion but do not provide our own second factor for SSO users.
• Audit log of authentication events exposed via the admin panel and exportable as CSV.

Common issues we see

• Missing role attribute. Without a role claim, every user defaults to "student." Fix in your IdP, not on our side.
• Non-persistent NameID. If your NameID rotates on each login, users will appear as new accounts every session. Use a persistent, institution-scoped identifier.
• Clock skew. SAML assertions are time-bound. If your IdP and our SP drift more than 5 minutes, logins fail silently.