Configure Single Sign-On (SAML 2.0)

SkillStream LMS supports SAML 2.0 single sign-on with any compliant identity provider (IdP), including Google Workspace, Microsoft Entra ID (Azure AD), Okta, OneLogin, and PingFederate.

Before You Begin#

You need:

• Admin access to SkillStream LMS.
• Admin access to your identity provider.
• Your organization's domain(s) — e.g., acmecorp.com.

Step 1: Start the SSO Setup in SkillStream#

1. Go to Admin → Settings → Security → Single Sign-On.
2. Click Configure SAML.
3. Note the values shown — you will enter these into your identity provider:

Step 2: Configure Your Identity Provider#

Google Workspace#

1. Open the Google Admin console → Apps → Web and mobile apps → Add app → Add custom SAML app.
2. Enter a name (e.g., "SkillStream LMS") and click Continue.
3. Copy the SSO URL, Entity ID, and Certificate from Google — you will enter these in Step 3.
4. In the Service provider details screen, paste the SkillStream ACS URL and Entity ID.
5. Set the Name ID format to "Email" and Name ID to "Basic information > Primary email".
6. Click Finish.

Microsoft Entra ID (Azure AD)#

1. Open the Azure portal → Enterprise applications → New application → Create your own application.
2. Name it "SkillStream LMS", select Integrate any other application (Non-gallery), click Create.
3. Go to Single sign-on → SAML.
4. In Basic SAML Configuration, paste the SkillStream Entity ID into "Identifier" and the ACS URL into "Reply URL".
5. Under SAML Signing Certificate, download the Certificate (Base64).
6. Copy the Login URL from the "Set up SkillStream LMS" section.

Okta#

1. In Okta Admin, go to Applications → Create App Integration → SAML 2.0.
2. Name the app "SkillStream LMS" and click Next.
3. Paste the SkillStream ACS URL into "Single sign-on URL".
4. Paste the SkillStream Entity ID into "Audience URI (SP Entity ID)".
5. Set Name ID format to "EmailAddress" and Application username to "Email".
6. Click Finish. On the Sign On tab, click View SAML setup instructions to get the IdP metadata.

Step 3: Enter Your IdP Details in SkillStream#

Back in Admin → Settings → Security → Single Sign-On:

1. Paste your IdP's SSO URL (Login URL).
2. Paste your IdP's Entity ID.
3. Paste the X.509 certificate from your IdP (the full PEM text including -----BEGIN CERTIFICATE-----).
4. Click Save configuration.

Step 4: Test the Connection#

1. Click Test SSO connection on the configuration page.
2. A new tab opens and redirects you through your IdP login.
3. If successful, you see a green confirmation message.
4. If you see an error, check that all values were copied accurately (no extra spaces or line breaks).

Step 5: Enable SSO for Your Domain#

Once the test passes:

1. Under SSO Enforcement, enter your email domain(s) — e.g., acmecorp.com.
2. Choose an enforcement mode:
   • Optional — users can log in with email/password or SSO.
   • Required — users on your domain must use SSO; password login is disabled.
3. Click Save.

Attribute Mapping (Optional)#

To automatically populate user profiles from your IdP, map SAML attributes:

Go to Admin → Settings → Security → SSO → Attribute mapping to configure these.

Troubleshooting#

Error: "SAML response signature is invalid" The certificate in SkillStream does not match your IdP's signing certificate. Re-download the certificate from your IdP and paste it again.

Error: "User not found" The email address in the SAML assertion does not match any user in SkillStream. Ensure your IdP sends the user's email as the NameID and that the user has been invited to SkillStream.

Error: "Audience restriction mismatch" The Entity ID in your IdP does not match the Entity ID shown in SkillStream. Update the "Audience URI" in your IdP to match exactly.