Single Sign-On with Coursepath
Coursepath supports the following open Internet standards for Single Sign-On (SSO): OpenID Connect, SAML and JSON Web Token.
This is the preferred way to connect your Identity Provider (such as Active Directory) with Coursepath. Please contact us to enable it. We will ask for the following:
- OpenID provider discovery document URL
- Client ID
- Client secret
- Scope (optional, by default we use
We support SAML when OpenID Connect is not available at your end. Please contact us to enable it. We need from you:
- Identity Provider Metadata URL
We will provide you with our:
- Service Provider Entity ID
- Client Redirect URI
JSON Web Token
Using JSON Web Token (JWT) for SSO is an excellent way if your organization does not yet have a central Identity Provider, or when you want give your users a seamless flow from your app to Coursepath. It will require some coding at your end, but this is usually not a lot of work.
This is the authentication process:
- Your user is browsing your company's intranet or website (for example, https://intranet.mycompany.com).
- A script on your side authenticates the user using your proprietary login process.
- Your script builds a JWT token that contains the relevant user data.
- You redirect the user to your Coursepath domain (for example https://mycompany.coursepath.com) with the JWT token as a query string parameter.
- Coursepath parses the user details from the JWT token and then grants the user a session.
As you can see, this process relies on browser redirects and passing signed messages using JWT. The redirects happen entirely in the browser and there is no direct connection between Coursepath and your systems, so you can keep your authentication scripts safely behind your corporate firewall.
How to implement your JWT SSO script
Authenticate the user
Make sure the user is authenticated at your end. Obtain the authenticated user's email address. This is what Coursepath needs to uniquely identify your user.
Create the JWT token
Generate the JWT for your authenticated user. See our JWT page for instructions.
The JWT token can be used only once, and is valid for only a couple of minutes. Generate the JWT token only just before you redirect the user.
Redirect the user
Now make the URL where you will send your authenticated user, according to this template:
token parameter is required. This is the signed JWT token containing the user's email address so we can grant the session.
locale parameter is optional. See our Formats page for supported languages.
next parameter is optional. This is the path of the page where the user must land. For a particular course, use the path