This article explains how to setup and use Thinkific's SSO (Single Sign On) feature to sign into your Thinkific school from your website.
About This Feature
OpenID Connect (OIDC) SSO (Single Sign On) allows you to connect your identity provider to Thinkific and provide a seamless, logged-in experience for users when navigating between your primary experience and your Thinkific site.
This approach uses the Open ID Standard which is a popular standard that is supported by many of the most common Identify Providers on the Market.
How it works
OIDC SSO is straightforward to connect and configure and requires a minimal technical skillset. Once connected, this SSO will allow your identity provider to send users from your primary application and sync their information into Thinkific. This will allow your users to login automatically without the need to manage another password.
During configuration, you will also be able to define sign up, sign in, and sign out URLs which automatically add redirects from these default views in Thinkific to your location of choice. This allows your experience to stay consistent for all of your users and to keep user access control in your identity provider.
How to set it up
Step 1: Install the OpenID Connect SSO App into your Thinkific site.
- Navigate to OIDC SSO in the Thinkific App Store.
- Ensure that you are logged into the Thinkific site that you would like to install the app on.
- Once you press the install button you should review and accept the information about the app on the consent page.
- Once installed, you will be directed to the configuration screen for the next step!
Step 2: Configure your OpenID Connect SSO App
- After installing the App, complete the required fields in the OpenID Connect Settings form with data from your identity provider.
The relevant fields include:
Field Description Where to find it Issuer
URI representing your Identity Provider
Get this from your identity provider
Client ID A unique string that represents the client, used when making the authentication request Get this from your identity provider Client Secret Secret key that is used in the request to the token endpoint Get this from your identity provider Authorization Endpoint
Redirect the browser to this URL to make the login request
Get this from your identity provider Token Endpoint
Used by the client to obtain an access token
Get this from your identity provider Sign-up URI
Redirect the browser to this URL when users attempt to sign in, prevents new native account creation
The URL you would like to redirect the user to when they use the sign up/sign in functions in Thinkific User Info Endpoint
Optional field. Used by the client to obtain information about the user signing in. If left blank, the client will use the ID Token.
This field is required if you are using OKTA
Get this from your identity provider Logout URI
Optional field. The URL to which the browser is redirected after logging out of Thinkific. If left blank, the browser will be redirected to the native Thinkific page.
The URL you would like to redirect the user to when they log out of Thinkific
- Press Save to complete your setup in Thinkific.
- Finally, copy the Provided Callback URL and paste it into the list of allowed callback URLs in your Identity Provider.
Step 3: Test your OIDC Configuration
Now that you have configured your OIDC SSO, test the connection to ensure that it effectively logs you into a Thinkific user account.
- Open an incognito or private window in your browser.
- Navigate to your Thinkific site and click Sign In. See that you are now redirected to your chosen Sign Up URL.
- If you are using an identity provider such as Auth0, upon successful login your browser should redirect back to your Thinkific site with a logged in user!
- If you do not see yourself automatically redirected back to Thinkific, you should make sure your identity provider is using the correct callback URL, which can be found at the top of your configuration settings.
Step 4: Complete any other necessary configuration
While this OpenID SSO handles login and user access to your site, you will still need to determine how you will provide your users access to your communities, courses, and other content.
There are a number of options to do so, including automatically enrolling them in a course or bundle via the Thinkific API.
Supported Identity Providers
OpenID Connect is a popular SSO standard and is supported by a number of common identity providers. Specifically, it is known to support the following identity providers:
- AWS Cognito
Not seeing your preferred identity provider? Contact us to learn how Thinkific can work with your identity provider.
Any Identity provider that supports OpenID Connect will also be compatible with Thinkific so long as they support the following requirements:
- Support for the standard claims required in the OpenID Connect ID Token or User Info Endpoint Response:
- given_name - required
- family_name - required
- email - required
- Support for the following standard OpenID Connect/OAuth 2.0 features:
- Support for "client_secret_basic" auth.
- Support for the "authorization_code" flow.
Other SSO Options
OpenID Connect is a very common and straightforward approach to implementing Single Sign On, but may not always be supported in all situations. If you find that this is not an option for you, there are a few alternatives that you may be able to explore:
- Use our Custom SSO Implementation. This is approach uses a custom implementation of SSO based on JWT, but is non standard so will require development work in order to properly configure and connect. If you'd like to learn more about this, check out our developer documentation.
- Hire a solution like miniOrange to help build and develop your customer SSO Implementation. They have worked with a number of Thinkific creators in the past to connect Thinkific to other options and they provide great flexibility when it comes to SSO.