Single-Sign On, or SSO, is the ability to login to Lessonly with another system credentials. For example, think about a time when you’ve attempted to create an account with a new service, such as Yelp. When you create an account, you are given the option to sign up using Google or Facebook. This allows you to use credentials you already have (Google) to create an account elsewhere.

Lessonly integrates with a few different SSO providers to allow easy access to Lessonly when users signs in via the specified provider.

Identity Providers

Lessonly integrates with the following Identity Providers, meaning our icon is in their application for their admins to set up and get to Lessonly quickly:

  • OneLogin

  • Okta

  • Bitium

  • Azure Active Directory

The following user management options we support and the specific requirements for each are as follow:

Google Suite - We support OAuth through Google. Users are created the first time they try to log into Lessonly using the Google SSO button on the login screen. This only creates the user's name and email address within Lessonly. This does not update, bulk create, or archive users.

  • To set up Google SSO with Lessonly all we will need is your email domain.


Custom SAML 2.0 - creates users the first time they try to log in to Lessonly using the SAML 2.0 SSO button on the login screen. This will only create the user's name and email within Lessonly. This DOES NOT update, bulk create, or archive users.

What your identity provider needs:

  1. Support SAML 2.0

  2. Support passing back an email address for the users’ Name ID

  3. Support passing back the following source attributes(please map to our default names):

  • First Name (urn:oid:2.5.4.42)

  • Last Name (urn:oid:2.5.4.4)

  • Nickname – optional

  • Email address (urn:oid:0.9.2342.19200300.100.1.3)

  • User ID – anything unique to identify your users (urn:oid:1.3.6.1.4.1.5923.1.1.1.10)

  • entity ID – https://your_subdomain.lessonly.com/auth/saml/metadata

As a general rule, if the attributes are not set to the Lessonly default, then a name attribute that is being passed via an XML file, these are the naming rules that must be followed:

  • They are case-sensitive

  • Must start with a letter or underscore

  • Cannot start with the letters xml (or XML, or Xml, etc)

  • Accepted characters are letters, digits, hyphens, underscores, and periods

  • Element names cannot contain spaces

How to get it set up:

Lessonly will need a few different requirements for this integration. To set this up please follow the steps listed below:

  1. We will need your identity provider’s target URL where we will send authentication requests

  2. We will also need either your identity provider’s certificate (in PEM format) or certificate fingerprint

  3. Once we have those, our technical staff can configure Lessonly as a service provider for you

  4. Once that is done, you will be able to find your Lessonly service provider metadata at https://your_subdomain.lessonly.com/auth/saml/metadata

  5. This metadata file will contain information including the requested nameIDFormat, the service provider callback URL, the issuer name, and the SAML version.

Azure Active Directory - creates users the first time they try to log in to Lessonly using the AD Azure SSO button on the login screen. This will only create the user's name and email within Lessonly. This DOES NOT update, bulk create, or archive users.

  • To integrate Azure AD with Lessonly, you will first want to make sure you have an Azure AD subscription and then follow the steps listed here - https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/lessonly-tutorial

  • Be sure to send along the downloaded Certificate(Base64) and Sign-Out URL, SAML Entity ID, and SAML Single Sign-On Service URL to support@lessonly.com to complete the process. 

  • One thing to note is Azure uses the SMTP Address to authenticate with Lessonly. - SMTP Addresses are how a mail server like Sendgrid, Google, and Office 365 identifies the users name with an email address. If a user doesn't have an SMTP address, then Azure won't be able to check for the matching email address. The resolution would be to make sure the user has an account on the server.

For all SSO set-ups via ADFS, please read this article, Single Sign-On for ADFS for more detail on this particular set-up.

Important Note - auto-provisioning users into Lessonly will throw an error if user's names contain special characters. For example: !@#$%^&*()+=[]{}? 

If a user is using both SSO and the manual sign-on process if an action is triggered to expire a users password this will expire the user's password immediately. This happens when someone other than the user sets the password (admin in app, on the backend, via the API, or user sync). Passwords will not expire on their own, but if an action is taken that triggers a password to expire, the next time the user tries to login via SSO it will prompt them to create a new custom password. The user will need to set a new password, sign-in manually, and then upon their next sign-in they will be able to sign-in via SSO.

To enable these features please email support@lessonly.com or reach out to your CX manager to learn more. 

Did this answer your question?