LEAST acts as a SAML 2.0 Service Provider (SP). Your Identity Provider (IdP) authenticates users and sends a signed assertion to LEAST. LEAST provisions or matches the user account and starts a session.
For admin-facing configuration (entering IdP settings in the UI), see SSO Configuration.
| Endpoint | URL | Method | Purpose |
|---|---|---|---|
| SP Metadata | /sso/metadata.php | GET | Machine-readable SP metadata (XML) — give this to your IdP |
| Login Initiator | /sso/login.php | GET | Redirects the user to the IdP's SSO URL |
| ACS (Assertion Consumer Service) | /sso/acs.php | POST | Receives the SAML Response from the IdP |
https://wherewelearn.com/sso/login.phpsso/acs.php) with a SAMLResponseRetrieve the SP metadata for your IdP registration:
GET https://wherewelearn.com/sso/metadata.php
Returns an XML document containing:
https://wherewelearn.com/sso/metadata.phphttps://wherewelearn.com/sso/acs.phpurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressLEAST expects the NameID to be the user's email address. Configure your IdP to send:
<NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
LEAST reads from the SAML assertion:
| Attribute | Required | Notes |
|---|---|---|
| Email (or NameID) | Yes | Used for account matching / provisioning |
givenName | No | First name — used for JIT account creation |
sn or surname | No | Last name — used for JIT account creation |
LEAST verifies the SAML Response signature using the IdP certificate stored in the admin SSO config. Unsigned or incorrectly signed assertions are rejected.
| Symptom | Likely cause |
|---|---|
| “Issuer not found” | Entity ID in the assertion does not match the stored IdP Entity ID |
| “Signature invalid” | Certificate mismatch — re-download and re-enter the IdP certificate |
| “NameID missing” | IdP not sending email in the NameID — check IdP attribute release policy |
| Redirect loop | ACS URL is returning a new AuthnRequest — check session cookie settings |