Organization Users

Single Sign-On (SSO)

Published 2026/07/09

Single Sign-On (SSO) lets your organization authenticate users through your own identity provider (IdP) instead of requiring separate TestInvite passwords. TestInvite supports SSO via the SAML 2.0 protocol.

Unique email enforcement must be active before SSO can be enabled.

SAML Configuration

  • Domains — the email domains that trigger SSO authentication (e.g. acme.com).
  • EnforcementOptional: users can choose SSO or password login. Required: SSO is the only allowed sign-in method for matching domains.
  • IdP Entity ID — the unique identifier for your identity provider.
  • IdP SSO URL — the URL TestInvite redirects users to for authentication.
  • IdP Certificate — the X.509 certificate used to verify SAML responses.

Just-In-Time (JIT) Provisioning

With JIT provisioning enabled, users who successfully authenticate via SSO are automatically created in the user repository if they don't already exist. You can configure the default user type (learner or teammate), role assignments, folder, and group for provisioned users.

Go back