What is Single Sing-On?

Single Sign-On (SSO) allows users to log in to Lessonly through a third-party system's credentials.

Lessonly integrates with a few different SSO providers to allow easy access when users signs-in via the specified provider.


How to Set Up Single Sign-On

Lessonly requires the below credentials to begin setting up SSO:

  1. The identity provider’s target URL

  2. The identity provider’s certificate (in .PEM or .cert format) or a raw certificate fingerprint

  3. Entity ID - https://companyname.lessonly.com/auth/saml/metadata

Important Note

Once Single Sign-On is initiated for a company's instance, the above URL metadata file becomes a live URL and contains information including the requested nameIDFormat, the service provider callback URL, the issuer name, and the SAML version.


Identity Provider Requirements

Custom SAML 2.0

  1. Support SAML 2.0

  2. Support passing back an email address or UID for the users’ Name ID

  3. Support passing back the following source attributes(please map to our default names):

    • First Name (urn:oid:2.5.4.42)

    • Last Name (urn:oid:2.5.4.4)

    • Nickname – optional

    • Email address (urn:oid:0.9.2342.19200300.100.1.3)

    • User ID – anything unique to identify your users (urn:oid:1.3.6.1.4.1.5923.1.1.1.10)

    • UID - login ID or username (urn:oid:0.9.2342.19200300.100.1.1)

If the naming format varies from the suggested default attributes, the below rules follow for naming conventions.

  • Case-sensitive

  • Must start with a letter or underscore

  • Cannot start with the letters "xml" or "XML" or "Xml" etc)

  • Accepted characters are letters, digits, hyphens, underscores, and periods

  • Element names cannot contain spaces


Provisioning through SAML SSO

When setting up SSO, Lessonly offers the option to auto-provision users upon logging in through a single sign-on. This creates the user with an account containing their name, email, and username. The user's username will be set to the value returned in the UID field. This does not update a user's standard or custom fields, bulk creates users or archives users.

This is able to be turned off meaning users must first be created in Lessonly before being able to sign in. To disable this feature please reach out to Support at support@lessonly.com.

Important Notes

  • Auto-provisioning users into Lessonly will throw an error if user's names contain special characters. For example: !@#$%^&*()+=[]{}?

  • Users created through a successful single sign-on who need their name to be updated can only be updated in the customer's single sign-on application. Any change made manually in the Lessonly application, through an sFTP file sync, or on the backend of Lessonly will not be saved.


How to Set Up Google OAuth Single Sign-On

Lessonly supports OAuth through Google. Lessonly only needs the company's subdomain for this set-up.

Users are created the first time they log in to Lessonly using Google SSO.

Similar to SAML, this only creates the user's name and email address in Lessonly.

This does not update, bulk create, or archive users.


Azure Active Directory

  • To integrate Azure AD with Lessonly, follow the steps listed in this documentation here.

  • After following the above documentation, send the below to Lessonly Support at support@lessonly.com

    • Downloaded Certificate(Base64)

    • Sign-Out URL,

    • SAML Entity ID,

    • SAML Single Sign-On Service URL

Important Note

Azure uses the SMTP Address to authenticate with Lessonly. - SMTP Addresses are how a mail server such as Sendgrid, Google, and Office 365 identifies the user's name with an email address. If a user doesn't have an SMTP address, then Azure won't be able to check for the matching email address. The resolution would be to make sure the user has an account on the server.


Single Sign-On for ADFS

For all SSO set-ups through ADFS, please read this article Single Sign-On for ADFS for more detail on this particular set-up.


Expired Passwords with SSO Enabled

If a user has used both single sign-on and the manual sign-in process throughout their tenure, and then an action such as a Reser Password email is selected this immediately expires the user's manual password.

The next time the user tries to log in through single sign-on Lessonly auto-prompts them to create a new custom password. The user needs to set a new password, sign in manually, and then upon their next sign-in, they will be able to sign in through SSO.

For security purposes, this is mandatory to do if a user's manual password expires while subsequently using SSO. Passwords will not expire on their own.


If you have any questions please reach out to Support at support@lessonly.com.

Did this answer your question?