How to Set Up Single Sign On SSO in Skilljar for Enterprise Clients

If you’re wrangling enterprise training and need to hook up Single Sign-On (SSO) in Skilljar, this is for you. You want your users to hit “login,” get bounced to your identity provider, and land back in Skilljar with zero fuss. But SSO setups can spiral into a mess of acronyms and finger-pointing if you’re not careful. This guide walks you through the real steps—no fluff, no skipped details.

Ready? Here’s how to actually get SSO working in Skilljar for enterprise clients, without losing your mind.

What You Need Before You Start

To avoid a bunch of back-and-forth, make sure you’ve got these ducks in a row:

  • Skilljar Admin Access: You need to be an org admin, not just a course author.
  • Enterprise Plan: SSO is only available on certain Skilljar plans. If you’re not sure, check with your Skilljar rep.
  • An Identity Provider (IdP): Think Okta, Azure AD, OneLogin, or ADFS. If you don’t know what this is, talk to your IT team.
  • A Test User Account: You’ll want a dummy account to test with before you roll out to the masses.
  • A Backup Login Option: Seriously—make sure you or someone else can still log in with a regular Skilljar account in case SSO breaks.

Pro tip: Loop in your IT/security team early. They'll need to help with the IdP setup, and they’re usually picky about SSO details.

Step 1: Decide How You Want SSO to Work

Not all SSO setups are created equal. Skilljar supports SAML 2.0, and you have a few choices:

  • IdP-Initiated SSO: Users log in from your company portal and get pushed into Skilljar.
  • SP-Initiated SSO: Users start at the Skilljar login page and get bounced to your IdP.

Both work, but SP-initiated is what most people expect (“go to the training site, log in”). If you want to force users through your IdP, set up IdP-initiated too.

Step 2: Gather Your SAML Info

You’ll need to swap details between Skilljar and your IdP. Here’s what to collect:

From Your IdP (ask IT): - SAML SSO URL (aka IdP Endpoint): Where Skilljar sends users to authenticate. - IdP Entity ID: The unique name of your IdP. - X.509 Certificate: The public key Skilljar uses to verify SAML responses.

From Skilljar (to give to IT): - Skilljar ACS (Assertion Consumer Service) URL: Where your IdP sends its SAML assertion. - Skilljar Entity ID: The name Skilljar uses in SAML requests.

You’ll find Skilljar’s SSO settings under Organization Settings > Authentication in the dashboard. There’s a section called “Single Sign-On (SSO)”—that’s the spot.

Step 3: Configure SSO in Skilljar

Here’s where the rubber meets the road.

  1. Log in to Skilljar as an Org Admin.
  2. Go to Dashboard > Organization Settings > Authentication.
  3. Find the Single Sign-On (SSO) section and click Edit.
  4. Enter your IdP SAML SSO URL, Entity ID, and upload the X.509 Certificate.
  5. Choose SAML 2.0 as the protocol.
  6. Set your preferred SSO login behavior:
  7. SSO Required: Forces everyone to use SSO. Use this for true enterprise lockdown.
  8. SSO Optional: Users can choose regular login or SSO. Good for testing or mixed environments.
  9. Map the required SAML attributes:
  10. email (required)
  11. first_name (optional, but nice)
  12. last_name (optional)

Your IdP needs to send these attributes. If it doesn’t, user provisioning will break.

  1. Hit Save.

What to watch for: Skilljar’s SSO setup screens are pretty barebones. If you mess up the certificate or SAML URL, you’ll just get a generic error. Double-check every field.

Step 4: Configure Your Identity Provider

This is where you’ll need your IT team (unless you’re both admin and IT—my condolences).

Here’s what your IdP will need: - ACS URL: Paste in the Skilljar ACS URL from the dashboard. - Entity ID: Use the Skilljar Entity ID. - NameID Format: Usually emailAddress. This tells Skilljar who the user is. - Attribute Statements: Map your user fields: - email → user's email - first_name → user's first name - last_name → user's last name

  • Sign SAML Responses: Make sure your IdP is set to sign responses (not just assertions). Skilljar won’t accept unsigned responses.

Specifics for major IdPs: - Okta: Use the “SAML 2.0” template. Paste in ACS & Entity ID. Set NameID to Email. - Azure AD: Create an enterprise application. Under SAML settings, use the URLs/Entity ID from Skilljar. Map attributes in “User Attributes & Claims.” - OneLogin: Similar process. Watch out for default mappings; double-check that email is mapped.

Don’t overcomplicate: Most of the time, you don’t need advanced SAML features—just basic authentication and a few attributes.

Step 5: Test Your SSO Setup

You’re not done until you’ve tested with a non-admin, non-special user. Here’s how:

  1. Open an Incognito/Private window. Don’t use your admin session—cache and cookies matter.
  2. Go to your Skilljar site and click Login.
  3. Try both SP-initiated (start at Skilljar) and IdP-initiated (start at your company portal) flows.
  4. Log in with your test account.
  5. Confirm:
  6. You’re redirected to your IdP’s login page.
  7. After logging in, you land back in Skilljar, fully authenticated.
  8. User profile info (email, first/last name) shows up correctly.
  9. You’re assigned to the right courses (if you have group-based access).

If it fails: The most common issues are: - Wrong ACS URL or Entity ID (double-check for typos) - Certificate mismatch (expired or wrong cert) - Missing required attributes (email is a must) - NameID format not set to email - Clock skew (IdP and Skilljar servers have very different times)

Skilljar’s error messages are vague—use SAML-tracer browser plugin or your IdP’s logs for real details.

Step 6: Roll Out to Users (Without Breaking Stuff)

Before you flip the switch for everyone, a few sanity checks:

  • Keep admin logins: Make sure at least one admin can still log in with username/password (not SSO), especially if SSO goes down.
  • Communications: Warn your users about the change, ideally with a walkthrough or screenshots.
  • Phased rollout: If possible, start with a small group before opening the floodgates.
  • Monitor usage: Watch for spikes in login failures or user complaints.

What to skip: Don’t bother with deep customization or advanced SAML features unless you have a real business reason. The simpler your setup, the fewer ways it can break.

Pro Tips and Gotchas

  • Skilljar support is human, but slow: If you get stuck, file a ticket, but don’t expect instant help. Be detailed in your ticket—paste SAML errors and your config.
  • Attribute mapping is picky: Skilljar expects the exact attribute names; email is not the same as Email.
  • Certificates expire: Set a calendar reminder to update your SAML cert before it expires, or you’ll be locked out.
  • Multiple domains: If you use multiple Skilljar domains (e.g., for different brands), you’ll need to set up SSO for each one.
  • User provisioning: Skilljar won’t automatically create users unless your SAML assertion includes all required attributes.

Wrapping Up

Getting SSO running in Skilljar isn’t rocket science, but it’s easy to trip over tiny details. Stick to the basics, double-check every field, and keep a backup login handy. Don’t waste hours on fancy SAML settings unless you know you need them. Set it up, test it carefully, and add complexity later if you actually need it. Simple is better—especially when SSO is involved.