Skip to main content

Single sign-on (SSO)

Single sign-on (SSO) allows your staff to log into ClassLark using their school credentials through your identity provider (IdP), such as Azure AD, Google Workspace, or any identity provider that supports SAML 2.0.

Once set up, staff can either:

  • log in using the "Sign in with SSO" option on the login page and entering their email address.
  • use a dedicated URL for your school that sends them directly to your identity provider.

After they sign into your identity provider, they'll be sent back to ClassLark. Depending on your preferred configuration, staff who don't already have a ClassLark account will be created one.

Before you begin

  • Single sign-on provisioning is a technical process that will involve your IT staff. It's a good idea for them to read this page as well.
  • Your staff must be added to your ClassLark account before they can use single sign-on.
  • Single sign-on can be enforced so that staff will always sign in with your identity provider, rather than through ClassLark.
    • This option can be enabled once the integration process has been completed and confirmed working.

Setting up single sign-on

info

We strongly recommend having your IT professional provide this information.

To set up single sign-on, please contact our support team with the following information:

  • Your chosen identity provider (Azure AD, Google Workspaces, etc)
  • Your SAML metadata XML file or URL

On your end, you'll need the following information:

  • Entity ID: urn:amazon:cognito:sp:ap-southeast-2_5TfXufoHz
  • Reply URL: https://classlark-prod.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse
  • Your SAML integration will need to send the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim with the email address belonging to the user.

We'll then be in touch once we've validated the information provided and have started the integration process.

You'll be able to test the single sign-on process is working correctly before enabling options to enforce its usage amongst your staff.

Automated user provisioning with SCIM

Once single sign-on is configured, you can optionally enable SCIM (System for Cross-domain Identity Management) to automatically sync staff accounts from your identity provider to ClassLark. This eliminates the need to manually add, update, or remove staff accounts.

Recommended for larger schools

If you have more than 20 staff members or frequently onboard/offboard staff, SCIM can significantly reduce administrative overhead.

See the SCIM provisioning documentation for setup instructions.

Need a hand?

If you're unsure that you'll be able to set up single sign-on for your school, please feel free to reach out to our support team and we'll do our best to help.

We cannot guarantee that all identity providers will be supported or we'll be able to provide specific integration instructions depending on your user management processes.

Applies to

  • Staff
  • Event Managers
  • Finance Managers
  • Administrators