SAML 2.0 single sign-on for Thinkific
WooNinja SSO operates as a standards-compliant SAML 2.0 Service Provider with per-tenant configuration, signed assertions, encrypted attributes, and automatic metadata endpoints. Verified against the most widely used enterprise identity providers.
Verified identity providers
Our SAML 2.0 SP has been tested and verified against the following identity providers. If yours isn't listed, any SAML 2.0-compliant IdP should work — and we can generally validate a new provider within one business week.
SAML features and configuration
SP-initiated and IdP-initiated SSO
Supports both SP-initiated (user navigates to Thinkific and is redirected to the IdP for authentication) and IdP-initiated (user starts from the IdP portal and is redirected to Thinkific) SAML flows. The correct ACS endpoint is determined automatically from the SAML request.
SAML metadata endpoints
Each SAML tenant connection exposes a unique metadata endpoint at GET /saml2/{tenant-uuid}/metadata. The endpoint returns a standards-compliant SAML 2.0 SP metadata XML document containing the SP Entity ID, ACS URL (HTTP-POST binding), SP x509 certificate, and contact information. Separate metadata URLs are available for QA and production environments.
Per-tenant security settings
SAML security is configurable per tenant. Choose between signed or unsigned AuthnRequests, enable SAML assertion encryption, and configure NameID encryption. Each tenant connection has its own SP certificate for signature verification and encryption. Certificate rotation is supported without downtime.
NameID format configuration
NameID format is configurable per SAML connection. The default format is persistent. Supported formats include transient, emailAddress, unspecified, X509SubjectName, and WindowsDomainQualifiedName. NameID presence is not strictly required — if absent, the SP falls back to the mapped email address as the user identifier.
Attribute mapping
Supports OID URNs (e.g. urn:oid:2.5.4.42 for given name), MACE URNs (e.g. urn:mace:dir:attribute-def:mail), and Microsoft schema URIs. Provider-specific attribute names for Okta, OneLogin, and Auth0 are also recognised and mapped automatically to Thinkific user fields and custom profile fields.
User identifier resolution
The SAML NameID serves as the primary user identifier across sessions. If the NameID is a valid email address (common with ADFS), it is accepted as both the identifier and email attribute. If the IdP omits NameID entirely, the application falls back to the mapped email address and logs a warning. The NameID is stored as an unbounded string — no length restrictions, so opaque persistent IDs (UUIDs, eduPersonTargetedID) of 32+ characters are fully supported.
User logout
Logout is not available via the SSO interface. Thinkific does not support session termination from an external identity provider's single logout flow. Users close their Thinkific sessions independently.
Federation compatibility
While WooNinja SSO is not a registered InCommon Federation member and does not consume InCommon metadata in aggregate form, it is designed to interoperate with any InCommon or eduGAIN identity provider. IdP metadata (entity ID, SSO URL, x509 certificate) is configured manually per SAML tenant connection rather than resolved from a federation metadata feed.
Ready to configure SAML for Thinkific?
Our team can walk through your IdP setup and recommend the right SAML configuration.
Book a demo