Set up Single Sign On (SSO)

Using SSO, you can authenticate users with their existing accounts on platforms like Okta, OneLogin, Azure AD, etc.

The feature is currently in alpha, which means you may encounter bugs. Please report them in our Discord group if you run into any.

To use this feature on courseLit.app, you need to be on the Enterprise plan. For self-hosted instances, this feature is available by default.

Steps to set up SSO

Subscribe to the Enterprise plan, if you haven’t, to unlock the feature. Ignore this step for self-hosted instances.
In the CourseLit dashboard, go to Settings -> Miscellaneous -> Login providers.
Click on the Cog icon next to the SSO provider to open SSO configuration.
In the SSO Provider screen, use the School Settings to configure your IdP provider. Refer to the sections below to see how to configure your IdP provider.

The following is a description of the fields under this panel:
- SAML ACS URL: This is the URL that your IdP will send the SAML response to. This is usually https://<school>.courselit.app/api/auth/sso/saml2/sp/acs/sso
- Audience URI (SP Entity ID): This is the URL that your IdP will use to validate the SAML response. This is usually https://<school>.courselit.app/api/auth/sso/saml2/sp/metadata?providerId=sso
After configuring the IdP provider, obtain the required settings from it and populate the values in the IDP Configuration panel.

The following is a description of the fields under this panel:
- Entry point: This is the URL CourseLit will use to send the SAML request to your IdP.
- Certificate: This is the certificate that your IdP will use to validate the SAML response.
- IDP Metadata: This is the metadata that your IdP will use to validate the SAML response.
Here is an example configuration for Okta:
Click on the Save button to save the configuration.
Go back to the Login providers screen and enable the SSO provider.

Setup IdP

Okta

Go to Okta dashboard and click on Applications -> Applications.
Click on Create App Integration.
Select SAML 2.0 on the Sign-in method popup and click on Next.
On the Create SAML Integration screen, in the General Settings tab, enter App name and click on Next.
In the Configure SAML tab, enter the SAML ACS URL (obtained from CourseLit) in the Single sign-on URL field and Audience URI (SP Entity ID) (obtained from CourseLit) in the Audience URI (SP Entity ID) field and click on Next.
In the Feedback tab, select the internal app option and click on Finish.
You will be taken to the newly created app’s settings. Your Okta IdP is now configured.
Next, let’s obtain the Entry point, IdP metadata and Certificate from Okta. From the Sign On tab, obtain the following:
- Entry point: We can infer this from the Metadata URL. It is usually https://<okta-account>.okta.com/app/<okta-app-id>/sso/saml2
- IdP metadata and Certificate: To obtain these, scroll down on the same page and locate the SAML Signing Certificates section. Click on the Actions button next to the SHA-2 and copy the IdP metadata and download the certificate.
Enter the values obtained in the IDP Configuration panel.
The Okta IdP is now configured.

Customer’s experience

When the SSO login provider is configured and enabled, the customer will see a Login with SSO button on the login page and checkout page.

SSO login view

2. Checkout page

SSO checkout view

Troubleshooting

a. Cloud-hosted (courselit.app)

You can re-enable the email provider from the CourseLit dashboard.

Re-enable email login provider

b. Self-hosted

You need to log in to your school’s MongoDB instance and run the following query to re-enable the email provider:

db.domains.updateMany({}, { $addToSet: { "settings.logins": "email" } });

2. Can I add multiple SSO providers?

Since this feature is currently in alpha, you can only add one SSO provider at a time. We want to make sure that the feature is stable before adding more providers.

Stuck somewhere?

We are always here for you. Come chat with us in our Discord channel or send a tweet at @CourseLit.