meta data for this page
SSO Configuration
Overview
LEAST supports SAML 2.0 single sign-on, allowing users to log in with their organisation's identity provider (Microsoft Azure AD, Okta, Google Workspace, ADFS, etc.).
For the developer/technical SAML integration reference, see SSO / SAML 2.0 (Developer).
Configuring SSO
- Navigate to Admin → SSO Configuration (
admin/sso-config.php) - Enter the following from your Identity Provider:
| Field | Where to get it |
|---|---|
| IdP Entity ID | Your IdP's metadata XML — entityID attribute |
| IdP SSO URL | Your IdP's SingleSignOnService URL |
| IdP Certificate | Your IdP's X.509 signing certificate (PEM format) |
- Copy the following Service Provider values to your IdP:
| Value | What to enter in your IdP |
|---|---|
| SP Entity ID (Issuer) | https://wherewelearn.com/sso/metadata.php |
| ACS URL (Reply URL) | https://wherewelearn.com/sso/acs.php |
| SP Metadata URL | https://wherewelearn.com/sso/metadata.php |
- Click Test Connection — LEAST will attempt a test authentication and report success or failure
SAML Attribute Mapping
LEAST reads these SAML attributes from the assertion:
| SAML Attribute | Used for |
|---|---|
email or NameID | User identification and account matching |
givenName | First name (for JIT provisioning) |
sn or surname | Last name (for JIT provisioning) |
Attribute names vary by IdP — most provide a mapping screen.
JIT User Provisioning
On first SSO login:
- LEAST checks for a matching email address
- Match found: existing account is linked to SSO
- No match: a new Level 1 account is created automatically
Test the SSO Login
- After configuration, give users the direct SSO login URL:
https://wherewelearn.com/sso/login.php - This redirects to the IdP login page and back to LEAST on success
- New users are provisioned silently on first login