Skip to main content

Single sign-on (SSO)

Enable single sign-on to allow students and staff to access Reading Steps using their existing school credentials.

Supported providers

Reading Steps supports SSO with:
  • Google Workspace for Education
  • Microsoft Azure AD / Entra ID
  • ClassLink
  • Clever
  • SAML 2.0 (custom providers)

Google Workspace

Prerequisites

  • Google Workspace for Education account
  • Admin access to Google Admin Console
  • Reading Steps admin access

Setup

  1. Go to Admin Panel > Integrations > SSO
  2. Select Google Workspace
  3. Click Configure
  4. Copy the provided Redirect URI
In Google Admin Console:
  1. Go to Apps > Web and mobile apps
  2. Click Add app > Add custom SAML app
  3. Enter “Reading Steps” as the app name
  4. Paste the Redirect URI from Reading Steps
  5. Configure attribute mapping:
Google attributeReading Steps attribute
Primary emailemail
First namefirst_name
Last namelast_name
  1. Save and enable for your organizational units
Back in Reading Steps:
  1. Enter your Google Workspace domain
  2. Click Test Connection
  3. Enable SSO

Microsoft Azure AD

Prerequisites

  • Microsoft 365 Education subscription
  • Azure AD admin access
  • Reading Steps admin access

Setup

  1. Go to Admin Panel > Integrations > SSO
  2. Select Microsoft Azure AD
  3. Click Configure
  4. Copy the provided Redirect URI and Entity ID
In Azure Portal:
  1. Go to Azure Active Directory > Enterprise applications
  2. Click New application > Create your own application
  3. Name it “Reading Steps” and select Integrate any other application
  4. Go to Single sign-on > SAML
  5. Configure Basic SAML Configuration:
    • Identifier (Entity ID): Paste from Reading Steps
    • Reply URL: Paste Redirect URI from Reading Steps
  6. Configure attribute mapping:
Azure attributeReading Steps attribute
user.mailemail
user.givennamefirst_name
user.surnamelast_name
  1. Download the Federation Metadata XML
Back in Reading Steps:
  1. Upload the Federation Metadata XML
  2. Click Test Connection
  3. Enable SSO

Setup

  1. Go to Admin Panel > Integrations > SSO
  2. Select ClassLink
  3. Click Configure
  4. Enter your ClassLink tenant ID
  5. Click Connect to ClassLink
  6. Authorize Reading Steps in ClassLink
  7. Configure roster sync options
  8. Enable SSO

Roster sync

ClassLink can automatically sync:
  • Students
  • Teachers
  • Classes
  • Enrollments
Configure sync frequency in the ClassLink settings.

Clever

Setup

  1. Go to Admin Panel > Integrations > SSO
  2. Select Clever
  3. Click Configure
  4. Click Connect to Clever
  5. Log in to your Clever dashboard
  6. Authorize Reading Steps
  7. Select which schools to sync
  8. Enable SSO

Data sharing

Clever shares:
  • Student information
  • Teacher information
  • Class rosters
  • School information

Custom SAML 2.0

For other identity providers supporting SAML 2.0:

Reading Steps SAML configuration

SettingValue
Entity IDhttps://app.readingsteps.uk/saml/metadata
ACS URLhttps://app.readingsteps.uk/saml/acs
SLO URLhttps://app.readingsteps.uk/saml/slo
Name ID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Required attributes

AttributeRequiredDescription
emailYesUser’s email address
first_nameYesUser’s first name
last_nameYesUser’s last name
roleNostudent, teacher, or admin

Setup

  1. Go to Admin Panel > Integrations > SSO
  2. Select Custom SAML
  3. Enter your IdP metadata URL or upload metadata XML
  4. Configure attribute mapping
  5. Click Test Connection
  6. Enable SSO

User provisioning

Just-in-time (JIT) provisioning

When enabled, users are automatically created on first login:
  1. Go to SSO Settings > Provisioning
  2. Enable Just-in-time provisioning
  3. Configure default settings:
    • Default role for new users
    • Default class assignment
    • Auto-assign reading level

SCIM provisioning

For automatic user lifecycle management:
  1. Go to SSO Settings > SCIM
  2. Enable SCIM provisioning
  3. Copy the SCIM endpoint URL and token
  4. Configure SCIM in your identity provider
SCIM endpoint: https://app.readingsteps.uk/scim/v2

Troubleshooting

Common issues

IssueSolution
”User not found”Enable JIT provisioning or pre-create users
”Invalid signature”Re-download and upload IdP certificate
”Attribute missing”Check attribute mapping in IdP
”Session expired”Increase session timeout in SSO settings

Testing SSO

  1. Go to SSO Settings > Test
  2. Click Start Test
  3. Complete authentication with your IdP
  4. Review the returned attributes
  5. Fix any mapping issues

Logs

View SSO authentication logs:
  1. Go to Admin Panel > Logs > SSO
  2. Filter by date, user, or status
  3. Click on entries for detailed information

Security

Session management

Configure session settings:
SettingDefaultDescription
Session timeout8 hoursTime before re-authentication required
Idle timeout1 hourTime of inactivity before logout
Force re-authOffRequire IdP authentication each login

Access control

Restrict SSO access by:
  • Email domain
  • User groups
  • Organizational units
Configure in SSO Settings > Access Control.