Single Sign-on (SSO) allows you to authenticate your learners with your own systems without making them enter additional Reach 360 login credentials. So if a learner is already authenticated by your identity provider (IDP), they're authenticated in Reach 360 as well.

Only Reach 360 account owners can enable or disable SSO from the in-app interface.

1. Get IDP Information 
2. Enable SSO in Reach 360
3. Add Reach 360 Information to Your IDP
4. Add Required Attributes for Learners
5. Disable SSO

Step 1: Get IDP Information

We need to know about your IDP and they need to know about us. To enable SSO, you'll need to enter information about your provider in Reach 360 and, in turn, we'll give you what you need to enter into your IDP account.

You'll need three things:

1. IDP SSO URL
2. IDP issuer URI
3. IDP signature certificate  

These should all be available/configurable in your IDP account.

Step 2: Enable SSO in Reach 360

The option to configure SSO is available to owners only. If you aren't sure what you need to enter for any given step, click Learn more for additional details.  

1. In Reach 360, select the Manage tab and click Settings.
2. Under Single Sign-On (SSO) Authentication, click Configure SSO. 
3. On the Configure Single Sign-On (SSO) Authentication page, in the IDP SSO URL field, enter the IDP SSO URL you obtained in step 1. This is the address where your learners log in.
4. Enter the IDP entity ID for your SSO in the IDP Issuer URI field. 
5. Open the IDP signature certificate you downloaded in step 1. Copy and paste the entire X.509 certificate in the space provided. 
6. Select how the SAML response from your IDP is signed. You must choose either Response or Assertion.
7. Select whether you’d like to sign SAML Authentication requests and if you’ll be using SCIM to automatically provision learners and groups.
8. Once you’ve double-checked your entries, click Save & Continue. 

Step 3: Add Reach 360 Information to Your IDP

Once you enter the information in the previous step, we'll have everything we need to generate the certificates and tokens for your IDP account. 

After clicking Save & Continue, you'll notice that the SSO page is slightly different. These items are what you need to connect your SSO solution to Reach 360: 

• Assertion Consumer Service (ACS) URL
• Audience URL
• Signing Certificate

If you selected the option to use SCIM in Step 2, you’ll also receive:

• SCIM URL
• SCIM Auth Token

Add these values to the appropriate place on your IDP's configuration page. Make sure to configure your IDP with the required SCIM attributes seen below. Once you're finished with this information, click Done. 

Once configured, you can view your SSO settings at any time by clicking Configure SSO from the Developer Settings tab. If you have SCIM enabled, you can generate a new SCIM token by clicking the button in the SCIM URL section. This invalidates your current token and issues a new one that you'll need to provide to your IDP.

Note: If you have issues adding this information to your IDP account, please contact their support team. 

If you have enabled SCIM in Step 2, these will be required attributes for creating learners:

• name.givenName = first name
• name.familyName = last name
• userName = email address
• externalId = any unique id from your IdP

You can also send optional attributes:

• avatar = replaces learner-defined profile photo (must be passed as a URL and is to be sent as an attribute that is part of the urn:scim:schemas:extension:metadata:2.0:User schema)

Step 4: Add Required Attributes for Learners

For a learner to be created in Reach 360, their record in your IDP must contain the following attributes:

• firstName = first name
• lastName = last name
• email = email address
• subjectNameId or Unique Learner Identifier = the object's externalId or guid (must must be permanently immutable, unique, and shouldn't expose any internal details such as email, name, etc.)

You can also send these optional attributes:

• avatar = replaces learner-defined profile photo (must be passed as a URL)
• groups = a list of groups the learner is assigned to in the IdP that you’d like synced over to Reach 360.

Click for more information on managing learners and groups when SSO is enabled.

Step 5: Disable SSO 

Turning off SSO is quick and easy. Just keep in mind that, when you do disable SSO, you'll need to repeat the entire process outlined in steps 1-3 if you want to turn it back on. 

1. On the Manage tab, click Settings.
2. On the Account tab, in the SAML Configuration Settings section, click Disable SSO.
3. Click Turn Off to confirm you want to disable SSO.

An email is sent to your SSO-linked team members, letting them know SSO has been disabled. To re-enable their login, they must click the Set Password button in that email.