What is Single Sign-On?

Single Sign-On (SSO) allows users to log in to Lessonly through a third-party system's credentials.

Lessonly integrates with a few different SSO providers to allow easy access when users signs-in via the specified provider.


How to Set Up Single Sign-On

Lessonly requires the below credentials to begin setting up SSO:

  1. The identity provider’s target URL

  2. The identity provider’s certificate (in .PEM or .cert format) or a raw certificate fingerprint

  3. Entity ID - https://companyname.lessonly.com/auth/saml/metadata

Important Note

Once Single Sign-On is initiated for a company's instance, the above URL metadata file becomes a live URL and contains information including the requested nameIDFormat, the service provider callback URL, the issuer name, and the SAML version.


Identity Provider Requirements

Custom SAML 2.0

  1. Support SAML 2.0

  2. Support passing back an email address or UID for the users’ Name ID

  3. Support passing back the following source attributes(please map to our default names):

    • First Name (urn:oid:2.5.4.42)

    • Last Name (urn:oid:2.5.4.4)

    • Nickname – optional

    • Email address (urn:oid:0.9.2342.19200300.100.1.3)

    • User ID – anything unique to identify your users (urn:oid:1.3.6.1.4.1.5923.1.1.1.10)

    • UID - login ID or username (urn:oid:0.9.2342.19200300.100.1.1)

If the naming format varies from the suggested default attributes, the below rules follow for naming conventions.

  • Case-sensitive

  • Must start with a letter or underscore

  • Cannot start with the letters "xml" or "XML" or "Xml" etc)

  • Accepted characters are letters, digits, hyphens, underscores, and periods

  • Element names cannot contain spaces


Provisioning Users with SAML SSO

When setting up SSO, Lessonly offers the option to auto-provision users upon logging in through a single sign-on. This creates the user with an account containing their name, email, and username. The user's username will be set to the value returned in the UID field. This does not update a user's standard or custom fields, bulk creates users or archives users.

This is able to be turned off meaning users must first be created in Lessonly before being able to sign in. To disable this feature please reach out to Support at support@lessonly.com.

Important Notes

  • Auto-provisioning users into Lessonly will throw an error if user's names contain special characters. For example: !@#$%^&*()+=[]{}?

  • Users created through a successful single sign-on who need their name to be updated can only be updated in the customer's single sign-on application. Any change made manually in the Lessonly application, through an sFTP file sync, or on the backend of Lessonly will not be saved.


How to Set Up Google OAuth Single Sign-On

Lessonly supports OAuth through Google. Lessonly only needs the company's subdomain for this set-up.

Users are created the first time they log in to Lessonly using Google SSO.

Similar to SAML, this only creates the user's name and email address in Lessonly.

This does not update, bulk create, or archive users.


Azure Active Directory

  • To integrate Azure AD with Lessonly, follow the steps listed in this documentation here.

  • After following the above documentation, send the below to Lessonly Support at support@lessonly.com

    • Downloaded Certificate (Base64)

    • Sign Out / Log Out URL

    • SAML Entity ID

    • SAML Single Sign-On Service URL

Important Note

Azure uses the SMTP Address to authenticate with Lessonly. - SMTP Addresses are how a mail server such as Sendgrid, Google, and Office 365 identifies the user's name with an email address. If a user doesn't have an SMTP address, then Azure won't be able to check for the matching email address. The resolution would be to make sure the user has an account on the server.


Single Sign-On for ADFS

For all SSO set-ups through ADFS, please read this article Single Sign-On for ADFS for more detail on this particular set-up.


Expired Passwords with SSO Enabled

If a user has used both single sign-on and the manual sign-in process throughout their tenure, and then an action such as a Reset Password email is selected this immediately expires the user's manual password.

The next time the user tries to log in through single sign-on Lessonly auto-prompts them to create a new custom password. The user needs to set a new password, sign in manually, and then upon their next sign-in, they will be able to sign in through SSO.

For security purposes, this is mandatory to do if a user's manual password expires while subsequently using SSO. Passwords will not expire on their own.


Frequently Asked Questions

Q. What is the user experience when logging in with SSO?

A. The Lessonly login page has an additional button for SSO users. When users click that button, they are taken to the identity provider. When the identity provider authenticates the user, the user is returned to Lessonly and logged in.

Q. My Lessonly client has SSO enabled. What will happen if I enable standard login and a user logs in via this method rather than through SSO?

A. So long as the user's email address matches their identity in the database, their account will be recognized and the user will be able to manually log in. Should the user attempt to log in using a different email address, however, a new account will be created.

Q. Can Lessonly users bypass SSO?

A. No.


Questions? Contact the Support team at support@lessonly.com

Did this answer your question?