Skip to main content

Configuring + Managing Single-Sign-On (SSO)

Written by Michael Stephenson

Available in Element Admissions and Element Success (External/Student SSO). See our packages overview for details.

Overview

Element451 supports Single Sign-On (SSO) for both internal users (staff/faculty) and external users (students). This guide walks you through configuring SSO, managing metadata updates, and ensuring seamless authentication for your users. Internal users can now be matched on email, School ID, or SSO ID, so institutions whose IdPs return a non-email identifier can authenticate staff and faculty without forcing email as the matching attribute.

If you're looking for guidance on enabling SSO or other authentication methods, visit our Security + Authentication Settings help article.

Configuration of SSO

To use your school's SAML2 SSO provider for either internal users (staff) or external users (students/contacts), you'll need to add your metadata to the SSO Authentication Settings:

  1. Navigate to SSO Settings

    • Settings > Manage Users > Security
      ​

  2. Find the Appropriate User Type Section

    • SSO must be configured separately for Internal Users (staff/admins) and External Users (students).

    • On this page, locate the relevant section:

      • SSO Authentication for Internal Users

      • SSO Authentication for External Users
        ​

SSO for Internal Users (Admins/Staff/Faculty)

  1. Create a New SSO Configuration

    • Click the + Create SSO Authentication button under SSO Authentication for Internal Users.

  2. Enter Metadata

    • Paste your SSO Metadata URL or XML provided by your Identity Provider (IdP). πŸ“Œ Note: If you're also prompted to enter a single sign-on service provider URL, please contact Element451 Live Support for assistance.

  3. Save your Configuration

  4. Confirm that SSO is enabled for Internal Users in Authentication Settings.

Internal SSO User Matching

Internal SSO matching is automatic β€” there is no matching settings card for internal users. Element451 takes the value returned by your identity provider and checks it against three fields on each internal user, signing the user in if any of them match:

  • Email: The user's primary email.

  • School ID: A stable institutional ID, such as the value printed on a staff badge or used for HR and business records.

  • SSO ID: The identifier your identity provider returns in its SAML response.

To enable School ID or SSO ID matching, add the value on the internal user's profile under Basic Info. Whichever attribute your IdP sends, if it matches one of these fields on an internal user, that user is signed in.

SSO for External Users (Students)

  1. Create a New SSO Configuration

    • Click the + Create SSO Authentication button under SSO Authentication for External Users.

  2. Enter Metadata

    • Paste your SSO Metadata URL or XML provided by your Identity Provider (IdP). πŸ“Œ Note: If you're also prompted to enter a single sign-on service provider URL, please contact Element451 Live Support for assistance.

  3. Save your Configuration

  4. Confirm that SSO is enabled for External Users in Authentication Settings.

External SSO User Matching

Once SSO is enabled and configured for external users, an "External SSO User Matching" settings card will appear. This is where you choose how Element451 matches external users from your identity provider response.

  • Email (default): Element451 matches the value returned by the identity provider against any of the user's email fields: primary email, email identity, or school email.

  • Identities: Administrators can select a single identity attribute to match against. Options: Primary Email, Email Identity, School Email, School ID, or Username ID. When an identity is selected, matching occurs exclusively against that attribute.

🚨 Important Notes

  • NameID Mapping: Ensure that the SAML2 NameID attribute maps to the value Element451 will match on. For most setups that's the emailAddress value, but for internal users you can also send School ID or SSO ID, and for external users you can configure matching against another identity attribute.

  • For successful SSO login, the value returned in the SAML response must match a user account in Element451 β€” by email, or by an identity value (School ID or SSO ID for internal users; the configured matching attribute for external users).

Learn how to add internal users to Element451 here.

Renewing Your SSO Certificate

If your SSO signing certificate is set to expire, you'll need to update the certificate to maintain uninterrupted authentication. Element451 does not actively monitor your metadata for updates. Therefore, it's important to remember to update your metadata when your certificate is renewed:

  1. Work with your SSO provider to regenerate your SSO signing certificate. Once this is done, the updated certificate will be reflected in your metadata URL/file.

  2. Navigate to Settings > Manage Users > Security.

  3. Locate the expired authentication.

  4. Replace the current metadata with your updated metadata URL or file.

  5. Save your changes.

Related Articles
Security + Authentication Settings
MFA Requirement Change | January 2025
πŸ“Œ Settings + Permissions: Frequently Asked Questions
Configurable SSO User Matching for External Users | April 2026
Internal SSO: Match Internal Users by School ID or SSO ID | May 2026
Did this answer your question?