TechClassTechClass Docs

Single Sign-On (SSO)

Connect your organisation's identity provider so employees can log in to TechClass with their corporate credentials.

Single Sign-On (SSO) lets your employees authenticate with TechClass using the same identity provider (IdP) they already use across your organisation — whether that is Microsoft Entra ID (Azure AD), Okta, Google Workspace, or any other SAML 2.0 or OpenID Connect-compatible provider.

SSO is coming soon and will be available in an upcoming release of TechClass. The documentation below describes what you will be able to configure once the feature is live.

Add-on Required Single Sign-On requires the Security+ add-on. Contact our sales team to add it to your workspace.

To manage SSO once available, navigate to Configuration > Single Sign-On in the Admin Portal sidebar.

How It Works

When SSO is enabled for your tenant, TechClass performs Home Realm Discovery at the login screen: instead of showing a password field, users are redirected to your IdP to authenticate. After successful authentication, TechClass creates or updates the user's account automatically (Just-in-Time provisioning) and issues a local session.

Supported Protocols

ProtocolCommon Providers
SAML 2.0Microsoft Entra ID, Okta, ADFS, PingFederate, OneLogin
OpenID Connect (OIDC)Okta, Google Workspace, Auth0, Azure AD v2

What You Will Be Able to Configure

Connections

You can add one or more IdP connections per tenant. Each connection includes:

  • Display name — shown on the login page button (e.g. "Sign in with Acme Corp").
  • Protocol — SAML 2.0 or OpenID Connect.
  • IdP metadata — entity ID, SSO URL, and signing certificate (SAML), or authority URL and client credentials (OIDC).
  • Enforce SSO — when enabled, the password login option is hidden and users must authenticate through the IdP.
  • Just-in-Time provisioning — when enabled, new users are created automatically on first login based on the claims provided by the IdP.

Service Provider Metadata

The Metadata tab provides your SP (Service Provider) details to share with your IdP during configuration:

  • ACS URL — the endpoint where your IdP posts the SAML assertion after authentication.
  • Entity ID — a unique identifier for the TechClass SP.
  • Metadata XML — a downloadable XML file you can upload directly to your IdP.

Security Guardrails

  • Anti-replay protection — each SAML assertion ID is recorded and rejected if seen a second time, preventing replay attacks across all API instances.
  • Clock skew tolerance — up to 3 minutes of clock drift between your IdP and TechClass servers is allowed to prevent spurious validation failures.
  • Domain uniqueness — each email domain can only be mapped to one SSO connection. Public domains (e.g. gmail.com, outlook.com) cannot be used for SSO routing.
  • Local-only logout — signing out of TechClass clears only the local TechClass session. It does not trigger a logout from your corporate IdP or other connected applications.

Access

Configure roles, permissions, and access control for your organisation.

Integrations

Connect your platform with third-party tools and developer APIs.

On this page

How It WorksSupported ProtocolsWhat You Will Be Able to ConfigureConnectionsService Provider MetadataSecurity Guardrails