Skip to main content
Thought Industries Developer Hub
IntegrationAuthentication

Single Sign-On (SSO)

Enable seamless authentication by connecting your identity provider to Thought Industries using SAML 2.0, OpenID Connect, or JWT-based SSO.

Supported Protocols

SAML 2.0

Industry-standard XML-based protocol for exchanging authentication data between an IdP and service provider.

OpenID Connect

Modern OAuth 2.0-based protocol providing identity verification and basic profile information.

JWT

Lightweight token-based authentication for programmatic and embedded SSO flows.

SSO Endpoints

SAML 2.0

https://your-instance.thoughtindustries.com/access/saml/login/:client?

The :client parameter is optional — use it for multi-tenant setups.

OpenID Connect

https://your-instance.thoughtindustries.com/access/openId/login/:client?

Add ?returnTo=/path to redirect users after authentication.

JWT

https://your-instance.thoughtindustries.com/access/jwt?jwt=<signed-token>

Pass a signed JWT containing user identity and attributes.

⚠ Security: avoid leaking JWTs via URL

The ?jwt= query parameter is convenient, but query strings are commonly written to browser history, server access logs, proxies, referer headers, and analytics tools. Treat JWTs in URLs as short-lived, single-use tokens:

  • Set a short expiration (exp claim) — minutes, not hours.
  • Use one-time jti claims and reject replays server-side.
  • Prefer POSTing the JWT to the SSO endpoint when your IdP supports it.
  • Strip Referer headers on landing pages and avoid logging full URLs.

For long-lived sessions, exchange the JWT for a session cookie immediately after sign-in.

JWT Payload Example

{
  "email": "[email protected]",
  "firstName": "Jane",
  "lastName": "Doe",
  "externalCustomerId": "cust_12345",
  "role": "learner",
  "returnTo": "/learn/dashboard"
}

Supported Identity Providers

Okta

Enterprise identity management with SAML 2.0 and OpenID Connect support.

SAMLOIDC

Azure AD / Entra ID

Microsoft's cloud identity service with seamless SAML and OIDC integration.

SAMLOIDC

OneLogin

Unified access management supporting SAML 2.0 for single sign-on.

SAML

Auth0

Flexible identity platform supporting OIDC, SAML, and custom JWT flows.

SAMLOIDCJWT

Google Workspace

Google's identity provider with built-in SAML app integration.

SAML

PingIdentity

Enterprise SSO and federation supporting SAML 2.0 and OIDC.

SAMLOIDC

Additional Resources

Support DocsAcademy Video Guide