Add an extra layer of security to your Thinkific site's Custom SSO feature by setting up safe-listed domains.
In this article:
This article is only relevant if you are using Thinkific's Custom SSO Implementation. This is not required if you are using OpenID Connect SSO
About This Feature
SSO, or Single Sign On, allows you to create a seamless user experience across an external website and your Thinkific school; students can sign in to both sites with one click.
Safelisting domains with SSO adds an extra level of security to this sign in flow. Designating permitted domains ensures that your students using SSO will only be sent to websites that you trust.
How It Works
When using Thinkific's Custom SSO feature, you are able to set up a redirect for students after they sign in or - if there was an error with the sign in flow - redirect students to try again.
Safelisting domains for your SSO feature ensures that your students will only be sent to trusted domains if you include the optional return_to and error_url parameters when setting up SSO.
We recommend safelisting domains for your SSO to prevent malicious users from intercepting a student's sign on and redirecting them to another site. Safelisting domains ensures that your students are only ever redirected to trusted websites after using SSO to sign in.
To use Safelisted Domains, you will need to set up SSO for your Thinkific site. Check out the complete guide for setting up SSO in our Developer Docs: SSO - Automatically Sign in From Your Own Website.
How SSO Works If No Domains Are Added to the Safelist
By default, no safelisted domains are added to your Thinkific site when you implement SSO, and the Safelisted Domain field in your Site Settings will be blank. This means any website(s) can be used for your SSO URL return_to or error_url parameters, and users will be redirected to these website(s).
Check out Adding Safelisted Domains (below) for instructions to add a safelisted domain for these parameters.
How SSO Works If All Domains Are Added to the Safelist
If you add a domain(s) to the Safelisted Domain field and use this safelisted domain(s) in your SSO URL return_to or error_url parameters, users will only ever be redirected to the website(s) on the safelist when using SSO to sign in.
Check out Adding Safelisted Domains (below) for instructions to add a safelisted domain for these parameters.
How SSO Works If Some Domains Are Not Included in Your Safelist
If you've added domains to your safelist but use a non-safelisted domain in your SSO URL return_to or error_url parameters, the following will occur:
- If the JWT is valid, the user will still be signed in and directed to the default page after signing in to your Thinkific site instead of the specified website included in the return_to parameter
- If the JWT is not valid, the user will not be signed in, and they will be redirected back to your Thinkific home page instead of the specified website in the error_url parameter
In other words, both the domain for your return_to parameter and the domain for your error_url parameter must be included in your safelist for either of these parameters to work with the SSO feature on your Thinkific site.
For example, say you safelist the domain thinkific.com and set up your SSO as follows:
- SSO URL:
http://yoursite.thinkific.com/api/sso/v2/sso/jwt?jwt=nothing&error_url=https://www.example.com&return_to=https://www.thinkific.com
Since only thinkific.com is a safelisted domain (and example.com isn't), the user will be signed in (if they enter the correct email and password) - but the SSO feature will ignore the redirect listed in the SSO URL and redirect to the user's default Thinkific sign in page instead.
The default sign in page a user is redirected to depends on their user role. The default sign in page for students is the Student Dashboard. For admins it is the Thinkific Admin Dashboard.
Adding Safelisted Domains
Now that you've set up SSO for your Thinkific site and added a website(s) for your SSO URL return_to or error_url parameters, follow the instructions below to add safelisted domains. You can add multiple domains to your safelist if needed.
- Sign in to your Thinkific Admin Dashboard
- Click on Settings in the navigation menu on the left-hand side of your dashboard
- Select the Orders and accounts tab in your Site Settings
- Locate the Safelisted Domain field under Sign in/Sign up settings
- Add a domain to the Safelisted Domain field (e.g., myschool.thinkific.com)
- Click Add Domain
- Click Save
Removing Safelisted Domains
To remove safelisted domains for your return_to and error_url parameters:
- Sign in to your Thinkific Admin Dashboard
- Click on Settings in the navigation menu on the left-hand side of your dashboard
- Select the Orders and accounts tab in your Site Settings
- Locate the Safelisted Domain field under Sign in/Sign up settings
- Click the delete icon next to the safelisted domain you'd like to delete
- Click Save