Single Sign-On (SSO)

LearnHouse supports enterprise Single Sign-On, allowing organizations to authenticate users through their existing identity provider. This means users can log in with their company credentials without creating a separate LearnHouse account.

SSO requires an Enterprise plan.

Supported Providers

Provider	Status	Description
WorkOS	Available	Enterprise SSO with SAML and OIDC support, includes admin portal
Custom OIDC	Available	Connect any OpenID Connect provider (Azure AD, Okta, Google Workspace, Keycloak, etc.)

The Custom OIDC provider lets you connect to virtually any modern identity provider that supports OpenID Connect, including Okta, Azure AD / Microsoft Entra ID, Google Workspace, and Keycloak.

How SSO Works

An admin configures SSO in the organization settings, selecting a provider and entering the required credentials.
When a user visits the login page, they see an SSO login option if SSO is enabled for that organization.
Clicking the SSO button redirects the user to the identity provider’s login page.
After authenticating with the IdP, the user is redirected back to LearnHouse with an active session.

User Provisioning

When a user logs in via SSO for the first time, LearnHouse automatically creates their account using profile data from the identity provider:

First name, last name, and email are mapped from the IdP.
Avatar is imported if available.
Default role is assigned based on the SSO configuration (e.g., all new SSO users get the Student role).

Existing users whose email matches are linked automatically — no duplicate accounts are created.

Configuration Options

Option	Description
Provider	Which identity provider to use (WorkOS or Custom OIDC).
Email domain	Restrict SSO to specific email domains.
Auto-provisioning	Automatically create accounts for new SSO users.
Default role	Role assigned to newly provisioned users.
Admin portal	WorkOS offers an admin portal for managing the IdP connection directly.

Last edited on Mar 14, 2026

PreviousSCORM NextCustom OIDC