Setting up SAML Single Sign-On (SSO) for ELSA School

Created by Matthew, Modified on Tue, 12 May at 8:37 AM by Matthew

This guide outlines how to configure your Identity Provider (e.g., Microsoft Entra ID, Google Workspace) to enable Single Sign-On (SSO) for your users in ELSA. There are 5 key steps to complete setup.

Before You Begin

Please provide your ELSA representative with the following before setup starts:

Data	Required?
Learner & admin email addresses	✅ Must have — used as the unique ID in ELSA
First names	✅ Must have
Last names	✅ Must have
Organization email domain (e.g. `@companyname.com`)	✅ Must have

Step 1: Service Provider Details (What We Provide)

Contact your ELSA representative to receive your SSO credentials. Then create a new SAML Application in your Identity Provider using these credentials.

Field	Value
ACS URL	`https://auth.workos.com/sso/saml/acs/{SP_ENTITY_ID}`
SP Entity ID	`{SP_ENTITY_ID}`
Start URL (Google Workspace) / Relay State (Microsoft Entra ID)	Provided by your ELSA representative — required to ensure users land on the correct product after login

Step 2: Configuration & Mapping (What You Do)

Configure attribute mapping in your IdP SAML app. Three attributes must be mapped correctly. If any are missing or incorrect, users will not be able to log in.

Required Data	Attribute Name to Send
Email Address	`email` OR `http://.../emailaddress`
First Name	`firstName` OR `http://.../givenname`
Last Name	`lastName` OR `http://.../surname`

Step 3: Final Exchange (What You Send Back)

Export the Metadata XML file from your IdP (found under "Sign On", "App Federation Metadata", or "IDP Metadata") and send it to your ELSA representative.

Step 4: Testing

Once ELSA activates SSO, test with a few admin and learner accounts:

Verify login works
Verify name and email appear correctly in the dashboard

Step 5: Go Live

All learners and admins can now log in via SSO.

Adding New Learners After Setup

Issue the new learner an organization email in your IdP (Google Workspace / Entra ID)
Notify your ELSA representative of the new learner's email
ELSA will send an invitation — the learner then logs in via SSO and their account is created automatically

⚠️ The invitation from ELSA must be sent before the learner attempts to log in. Without it, the login will be rejected.

Offboarding

To revoke a learner's access, remove them from the ELSA SAML app in your IdP (Google Workspace / Entra ID).

⚠️ Revoking access prevents future logins but does not automatically delete data from ELSA. Contact your ELSA representative to request data deletion.

FAQ

Question	Answer
Will learning data carry over when we switch to SSO?	✅ Yes — as long as the learner uses the same email, their account, history, and progress are all preserved.
What if the email in our roster doesn't match our IdP email?	❌ A duplicate account will be created and prior learning data will be inaccessible. Please ensure roster emails exactly match your Google Workspace / Entra ID emails (emails are stored in lowercase).
Are Google Workspace and Microsoft Entra ID both supported?	✅ Yes. The setup process is identical for both.
Do learners need to do anything differently after SSO is enabled?	No. They click "Sign in with SSO" instead of entering email/password. All existing history and progress are still there.
What if a learner can't log in?	Check: (1) Has ELSA sent an invitation to that email? (2) Does the IdP email exactly match the email registered in ELSA? (3) Is the SAML attribute mapping correct (email, firstName, lastName)? If unresolved, contact your ELSA representative.
Is SSO the same as "Sign in with Google"?	No. SSO (SAML) is more secure — your IT team controls exactly who can access ELSA, can revoke access at any time, and enforces your own security policies (e.g. MFA).
Can admins use SSO too, or just learners?	✅ Both. SSO applies to the entire organization.
What if we don't have Google Workspace or Microsoft Entra ID?	SSO requires a SAML-compatible IdP. Please contact your ELSA representative to discuss alternatives.