What is an SSO?
An SSO, or Single Sign On, is a feature that allows a user to sign into an external website and a NextThought site in one action. This is an Enterprise plan feature and requires custom development. If you are interested in using an SSO for your site please reach out to our sales team at firstname.lastname@example.org.
How does it work?
When the SSO process starts (via user action), the LMS will initiate the OAuth 2.0 Authorization Code flow against the authorization endpoint. Your authorization endpoint will ensure the user is authenticated, possibly requiring the user to provide their credentials, and then return the user to the redirect_uri provided by NextThought. The NextThought system will then exchange the provided access code for an access token using the token endpoint url. The resulting access token will then be used to fetch the authenticated user’s information. This information will be used to log the user into the NextThought system, provisioning new users as necessary.
To authenticate and provision a user in the NextThought LMS, the user info endpoint provided by your system must return the following information:
- Real name. The full, real name of the authenticated user.
- Email. A well-formed valid email address for the authenticated user.
- Persistent Identifier. A unique, stable identifier that can be used to uniquely identify the authenticated user. These should never be reassigned or reused. This is the primary identifier that we will use to lookup and match users from your system.
The structure and format returned by the User Info endpoint url will be established as part of the SSO implementation. Typically this information is communicated via a simple json object but other formats can be provided if needed. If you're interested in an integration that populates additional detailed user profile information or provisions users for specific course content this can be discussed as part of the SSO implementation phase.
OAuth 2.0 is an authorization framework that enables applications such as NextThought to obtain limited access to user accounts on your system. It works by delegating user authentication to the service that hosts a user account and authorizing third-party applications to access that user account. OAuth 2.0 provides authorization flows for web and desktop applications, as well as mobile devices.
Other Custom SSO Options
NextThought can facilitate SSO integrations using a number of other well known options. If you’re looking to implement SSO using another OAuth 2.0 grant type or a different industry standard framework such as SAML, Active Directory, LDAP, or your custom solution please reach out to your account manager.
Implementing an OAuth 2.0 SSO with NextThought
As part of the implementation phase our team will request a number of important pieces of information required to establish the SSO integration between your system and NextThought. These include:
- Which third party system is NextThought is being integrated with? NextThought has a number of existing SSO integrations with third party systems such as Fonteva, Growth Zone, IMIS, YM, Salesforce, Google Apps for Business, Google, and Facebook. SSO implementations with these systems may require less work on your part. If your system isn’t listed above, don’t worry, our implementation team can connect most systems supporting OAuth 2.0 and a number of other options are also available.
- OAuth 2.0 client identifier and client secret. This identifier and secret will be used by NextThought when performing the OAuth 2.0 authorization code based flow.
- OAuth 2.0 authorization endpoint url. The url your users will be redirected to as part of the login process.
- Oauth 2.0 token endpoint url. The url we should use to exchange the authorization code for an appropriate access token.
- User Info endpoint url. The url for an API we can use to fetch information about the user account associated with the OAuth 2.0 provided access token.
During your implementation our team will provide you with a number of important pieces of information that your system may require to establish the SSO integration between your system and NextThought. These may include:
- A list of redirect_uri values that you can expect to receive from NextThought as part of the initial authorization endpoint request.