Single Sign-On (SSO)

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. Refer to this Wikipedia article for more background information: Single Sign-On

Shift iQ supports two industry-standard mechanisms for SSO:

  1. Learning Tools Interoperability (LTI)
  2. Security Assertion Markup Language (SAML)

We do not implement or support custom SSO mechanisms due to the potential security and privacy risks associated with them.

Learning Tools Interoperability (LTI)

LTI is the simplest approach to SSO with the Shift iQ platform.

While LTI is not primarily designed as a SSO mechanism, some of the data it passes in a launch request is about the user. LTI works on the basis of a trust relationship between systems, which is established by means of a key and a secret. This makes it much simpler than providing access to a common identity server.

In LTI, a user is authenticated by a primary system and then can be passed to another system (internal or external) by way of a signed launch message. The system that receives this message verifies its authenticity by inspecting its digital signature, and then implicitly trusting the data it carries; thereby eliminating the need to authenticate the user a second time or reconfirm the user’s identity.

This approach makes LTI a low-cost option for implementing SSO between systems.

Refer to this article for details: LTI as a SSO Mechanism

An LTI launch message submitted for SSO access to Shift iQ looks something like this:

Simulate LTI Launch Request
This form simulates a basic LTI Consumer. Click the "Validate and Launch" button to create and validate an LTI launch request for Single Sign-On access to Shift iQ.

The LTI Launch message is signed with a secure digital signature, using HMAC-SHA1 or HMAC-SHA256, with a secret key that is shared between the two systems.

When Shift iQ receives this message from a user’s web browser, it validates the signature on the message to confirm it is a legitimate interoperability request from an authorized external system.

If request is valid, then Shift iQ authenticates the learner and navigates to the requested course in the Shift iQ Learning Portal.

Security Assertion Markup Language (SAML)

SAML is a more powerful and more sophisticated approach to SSO with the Shift iQ platform. It is more secure than LTI, therefore it is the mechanism we prefer and recommend to customers.

Security Assertion Markup Language (SAML, pronounced SAM-el) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions).

An important use case that SAML addresses is web-browser single sign-on. Single sign-on is relatively easy to accomplish within a security domain (using cookies, for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies. The SAML Web Browser SSO profile was specified and standardized to promote interoperability.

SSO interoperability with Shift iQ is supported for the following platforms:

Last updated September 29, 2023
Author image

Daniel Miller


Daniel is co-founder and Chief Technology Officer at InSite, responsible for the design, development, and operation of the Shift iQ platform.

His technical skills in the architecture and implementation of high-performance, high-fidelity enterprise software are complemented by his strong leadership of a diverse team of DevOps experts.

Get a free, no-strings attached demo for your assessment and training needs.
2023 Top Assessment Platform Award
2023 Watchlist Wordpress Assessment Evaluation
We are pleased to announce Shift iQ is listed as one of the top assessment and evaluation providers for 2023!