Single Sign-On (SSO) for learners transforms how you secure and track your 7taps courses. With SSO enabled, you protect proprietary training content from unauthorized access while gaining complete visibility into learner progress, regardless of how courses are shared. This guide walks you through the strategic value, technical setup, and validation testing to ensure your SSO implementation works flawlessly.
Note: This article covers SSO for learners accessing 7taps courses.
For SSO setup for creators/editors accessing the 7taps platform, see Setting up SSO for Editors/Creators.
Table of Contents
Why Learner SSO Matters: Security & Tracking Benefits
Learner SSO solves two critical challenges that many 7taps customers face:
1. Protecting Proprietary Content
Without SSO, anyone with a static link or QR code can access that course. While 7taps uses non-guessable URLs (courses aren't publicly discoverable without the direct link), links can still be shared, forwarded, or accessed by unintended recipients, including competitors, unauthorized contractors, former employees, or external partners.
SSO creates an authentication barrier that ensures only authorized individuals from your organization can access your training content, even if the link is shared outside your organization.
Real-world scenarios where SSO protection matters:
Compliance training containing proprietary processes or trade secrets
Product knowledge courses with confidential roadmap information
Leadership development content meant only for internal managers
Safety protocols specific to your facilities or equipment
Sales enablement materials with pricing or competitive strategies
⚠️ Important: SSO applies to all courses in your 7taps account once enabled. You cannot selectively enable SSO for only certain courses. If you need different access controls for different audience types (e.g., internal employees vs. external partners), consider using separate 7taps accounts—one for internal-only courses with SSO enabled, and another for courses you'll share with external partners without authentication requirements.
2. Complete Learner Progress Tracking
The transformative benefit of SSO is universal tracking across all sharing methods. Once SSO is enabled, 7taps automatically tracks and attributes every learner interaction to their authenticated identity, even when courses are shared via:
Static links posted on internal websites or SharePoint pages
QR codes displayed in facilities, break rooms, or equipment
Direct links sent via email, Slack, or Teams messages
Any other share method
Without SSO, tracking depends on the sharing method. Static links and QR codes cannot identify individual learners, you see aggregate data but can't attribute progress to specific people.
With SSO enabled, every course interaction is mapped to the learner's email address, giving you:
Individual completion rates and timestamps
Quiz scores and assessment performance by learner
Card-by-card progression through courses
Time spent per module for each learner
Ability to identify who needs follow-up or additional support
This means you can place QR codes anywhere in your organization and know exactly which employees accessed the training and how they performed. Learn more about tracking learner progress →
How Learner SSO Works in 7taps
7taps uses SAML 2.0 (Security Assertion Markup Language) for SSO authentication, the enterprise standard supported by identity providers like:
Microsoft Entra ID (formerly Azure AD)
Okta
Google Workspace
OneLogin
Any SAML 2.0-compliant identity provider
The Authentication Flow
Learner attempts to access a course (via static link, QR code, Learning Path, etc.)
7taps checks for authentication token
If valid token exists: Course loads immediately
If no valid token: Learner is redirected to your SSO login page
Learner authenticates using their company credentials at your identity provider
Your IdP returns a SAML assertion to 7taps containing the learner's verified identity (email address)
7taps creates an authenticated session and loads the course
All learner interactions are tracked and attributed to their email address in 7taps analytics
Once authenticated, the learner doesn't need to log in again until their session token expires (typically managed by your organization's IdP settings).
Email ID as the Identity Key
⚠️ Critical requirement: Your SAML configuration must include the learner's email address in the authentication claim. This email address becomes the unique identifier that 7taps uses to attribute all learning records and analytics to the correct individual.
Prerequisites & Required Information
Before starting SSO setup, you'll need:
From Your Organization
Decision: Are you using a custom domain?
Custom domain (e.g.,
learning.yourcompany.com) - Requires separate setup; see Custom Domain SetupDefault 7taps domain (
app.7taps.com) - Standard configuration
SAML Configuration Details - Gather one of the following from your IT/Identity team:
Option A: Individual SAML Parameters
Endpoint / SAML URL (where 7taps sends authentication requests)
Issuer / Entity ID (unique identifier for your organization's IdP)
Certificate (X.509 certificate for validating SAML responses)
Option B: SAML Metadata XML File
Single XML file containing all configuration parameters
Typically exported directly from your identity provider
Email Claim Configuration
Confirm that your IdP includes the user's email address in the SAML assertion
This is typically a standard claim, but should be verified with your IT team
From 7taps
You'll provide your identity provider with configuration values specific to your setup (see next section).
Configuration Values for Your Identity Provider
Your IT team will need these URLs to configure 7taps as a SAML application in your identity provider.
For Organizations Using Default 7taps Domain
Use these exact URLs in your IdP configuration:
Entity ID / Issuer / Audience URI:
https://app.7taps.com/saml2/learner/7taps-eid
Assertion Consumer Service (ACS) URL / Consumer URL / SAML URL:
https://app.7taps.com/saml2/learner/acs
For Organizations Using a Custom Domain
Replace `microlearning.mydomain.com` with your actual custom domain:
Entity ID / Issuer / Audience URI:
https://microlearning.mydomain.com/saml2/learner/7taps-eid
Assertion Consumer Service (ACS) URL / Consumer URL / SAML URL:
https://microlearning.mydomain.com/saml2/learner/acs
Important: These URLs must match your domain exactly. If you're unsure whether you have a custom domain configured, contact 7taps support before proceeding.
Setup Process with 7taps Support
SSO configuration requires coordination between your IT team and 7taps support. The process typically takes 30-60 minutes of collaboration.
Step 1: Gather Your SAML Configuration
Work with your IT/Identity team to obtain either:
Individual SAML parameters (Endpoint URL, Issuer/Entity ID, Certificate), OR
Complete SAML metadata XML file
Confirm that your configuration includes the learner email address in the SAML claim.
Step 2: Provide Configuration Values to Your IT Team
Share the appropriate 7taps URLs (from the previous section) with your IT team so they can configure 7taps as a SAML application in your identity provider.
Step 3: Submit Configuration to 7taps Support
Contact 7taps support with:
Your SAML configuration details or metadata XML file
Confirmation of whether you're using a custom domain (and which domain)
How to reach support:
Click the Help button in your 7taps account
Email: [support@7taps.com]
Include "SSO Setup Request" in your subject line
Step 4: 7taps Configures Your SSO
The 7taps team will configure your SSO settings on our backend and confirm when the setup is complete. This typically happens within 1 business day.
Step 5: Test & Validate (Critical—see next section)
Once 7taps confirms configuration is complete, you must validate that SSO works correctly before rolling out to learners.
Testing & Validation: Confirming SSO Works Correctly
⚠️ Do not skip this section. Proper validation ensures your learners have a seamless experience and that tracking works as expected.
Validation Checklist
Complete all four validation steps to confirm your SSO implementation works correctly:
✅ Step 1: Test Authentication with a Static Link
Purpose: Confirm that unauthenticated access triggers your SSO login flow.
Select a test course in your 7taps account (or create a simple 3-card course specifically for testing)
Copy the static link from the course sharing options
Open an incognito/private browser window (or a browser where you're not already logged into your company accounts)
Paste and navigate to the static link
Expected result: You should be redirected to your organization's SSO login page before accessing the course content.
If this doesn't happen: Your SSO configuration may not be active yet. Contact 7taps support immediately.
✅ Step 2: Authenticate and Access the Course
Purpose: Confirm that valid credentials allow course access.
Enter your company credentials on your organization's SSO login page
Complete authentication (including MFA if required by your organization)
Expected result: After successful authentication, you should be automatically redirected back to the 7taps course, which should load normally.
If this doesn't happen: There may be a configuration mismatch between your IdP and 7taps. Note any error messages and contact support.
✅ Step 3: Generate Learning Interactions
Purpose: Create trackable data to verify that analytics capture authenticated activity.
Progress through the test course completely:
Swipe through all cards
Answer any quiz questions
Submit any polls or forms
Complete the entire course to the final card
Repeat with different interaction patterns (optional but recommended):
Start a second course but don't complete it
Return to a completed course and review specific cards
✅ Step 4: Verify Tracking in Course Analytics
Purpose: Confirm that your learning record was created and correctly attributed to your email address.
Navigate to the test course in your 7taps creator account
Open the Analytics/Statistics section for that course
Look for your individual learning record:
Should show your email address (e.g.,
yourname@company.com)Should display completion status (100% if you finished)
Should show timestamps for when you accessed the course
Should include individual card interactions and quiz responses
Expected result: Your learning record appears with your email address as the identifier, not an anonymous ID or device identifier.
If your record appears but without your email: The email claim may not be included in your SAML assertion. Contact your IT team to verify the SAML configuration includes email in the user attributes.
If no record appears at all: SSO authentication may have succeeded, but the identity mapping failed. Contact 7taps support with details about your authentication process.
✅ Step 5: Test QR Code Access (Bonus Validation)
Purpose: Confirm that SSO protection extends to QR codes (a major use case for many customers).
Generate a QR code for your test course
Scan the QR code using your mobile device (again, in a private/incognito browser or after clearing your authentication session)
Confirm you're prompted to authenticate before accessing the course
Complete authentication on your mobile device
Progress through a few cards on mobile
Check course analytics to verify that your mobile interactions were tracked under your email address
Expected result: Mobile access via QR code requires authentication and all interactions are tracked to your email, just like desktop access.
Common Questions About Learner SSO
Does SSO work with all sharing methods?
Yes. Once SSO is enabled, all sharing methods are protected and tracked:
✅ Static links
✅ QR codes
✅ Learning Paths
✅ Direct course URLs
✅ SCORM packages (when applicable)
Every access attempt requires authentication, regardless of how the course is shared.
Can we exempt certain courses from SSO?
No. Once SSO is enabled for your 7taps account, it applies to all courses in that account. This ensures consistent security and tracking across your entire training library within that environment.
If you need different access levels for different audiences: Many organizations use a two-account strategy:
Account 1: Internal-only courses with SSO enabled (proprietary content, compliance, leadership development)
Account 2: Partner/external courses without SSO (onboarding for contractors, partner enablement, customer education)
This approach gives you complete control over which content requires authentication while still allowing easy external sharing when appropriate. Contact 7taps support to discuss your specific use case and account structure options.
Can learners access courses from personal devices?
Yes, as long as they can authenticate through your organization's SSO login. Many organizations allow SSO authentication from any device, but access policies are controlled by your identity provider settings, not by 7taps.
If your organization restricts access to company-owned devices, those restrictions will apply to 7taps courses as well.
What happens if a learner's email isn't in the approved domain list?
They will be unable to authenticate and access the course. For example, if you've approved @company.com but a contractor has @contractor.com, they cannot access SSO-protected courses unless you add their domain to the approved list.
To add additional domains: Work with your IT team to add the domain to your identity provider's SSO configuration for 7taps. This is managed on your organization's side, not within 7taps settings. Once your IT team updates the approved domains in your IdP, those users will be able to authenticate.
How long do authentication sessions last?
Session duration is controlled by your identity provider's configuration, not by 7taps. The length of time varies significantly between organizations based on their security policies.
Typical session durations:
Many organizations configure sessions to last 7-30 days by default
Some security-conscious organizations set shorter durations (4-8 hours)
Others may extend to several weeks for user convenience
What this means for learners: Once authenticated, learners can access 7taps courses without logging in again until their session expires. The exact timing depends on your organization's IdP settings (specifically the SessionNotOnOrAfter attribute in your SAML configuration).
Note: The SAML authentication token itself typically expires within 1 hour, but this is different from the session duration. After the initial authentication, 7taps maintains the authenticated session for the duration your organization has configured, without requiring the learner to re-enter credentials.
If you need to adjust session duration for your organization, work with your IT team to modify the session timeout settings in your identity provider.
What if we already share courses with our LMS?
SSO can work alongside LMS integration. However, if learners access courses through your LMS, the LMS handles authentication and tracking. SSO is most valuable for courses shared outside the LMS (static links, QR codes, direct distribution).
Discuss your specific setup with 7taps support to determine the best configuration.
Will SSO affect existing shared links?
Yes, once SSO is enabled, all existing static links and QR codes will require authentication. This is by design for security, but you should communicate the change to learners who may have bookmarked direct links.
Consider sending a brief notification: "Starting [date], accessing training courses will require you to log in with your company credentials to protect our proprietary content."
Troubleshooting SSO Issues
Problem: Learners see "Access Denied" or cannot authenticate
Possible causes:
Learner's email domain not in approved list
SAML configuration mismatch between your IdP and 7taps
Certificate expired in your IdP
Solutions:
Verify the learner's email domain is approved (contact 7taps support to check)
Confirm SAML configuration values match exactly between your IdP and 7taps
Check certificate expiration date in your identity provider
Contact 7taps support with specific error messages
Problem: Authentication succeeds but analytics don't show email address
Possible causes:
Email claim not included in SAML assertion
Email attribute mapped incorrectly in your IdP configuration
Solutions:
Check your IdP's SAML attribute configuration—ensure email/mail attribute is included
Review the SAML assertion your IdP sends (your IT team can typically view this in IdP logs)
Contact 7taps support to verify what attributes we're receiving
Problem: SSO works on desktop but not mobile
Possible causes:
Mobile device restrictions in your IdP policies
Cookie/session handling issues in mobile browser
Solutions:
Test in both a mobile browser (Safari/Chrome) and any company mobile app that uses web views
Verify your IdP allows authentication from mobile devices
Clear cookies and cache on the mobile device
Contact 7taps support if authentication redirects fail on mobile
Problem: "Certificate expired" error messages
Cause: Your IdP's X.509 certificate has expired
Solution:
Generate a new certificate in your identity provider
Submit the updated certificate to 7taps support
7taps will update the configuration on our side
Best practice: Set a reminder to update certificates 30 days before expiration to avoid disruption.
Getting Help from 7taps Support
For SSO setup assistance or troubleshooting, contact 7taps support with:
Required information:
Your organization name and 7taps account
Whether you're using a custom domain (and which domain)
Description of the issue (be specific about error messages or unexpected behavior)
Screenshots of any error messages
Test user email address you used during validation
Optional but helpful:
SAML assertion contents (your IT team can provide this from IdP logs)
Your IdP configuration screenshot showing 7taps SAML app settings
Timeline of when the issue started occurring
How to contact support:
Click the Help button in your 7taps account
[Include additional contact methods if available]
Response time: SSO issues are typically prioritized for same-day response during business hours.
Best Practices for Managing SSO
Document your configuration: Keep records of your SAML settings, approved domains, and certificate expiration dates
Create a dedicated test account: Use a consistent test user email for validation whenever you make changes
Monitor certificate expiration: Set reminders 60 and 30 days before your SAML certificate expires
Communicate changes to learners: If you enable SSO after courses have been shared, notify learners they'll need to authenticate
Test after any IdP changes: If your IT team updates your identity provider, revalidate that 7taps SSO still works correctly
Regularly review approved domains: As your organization changes (acquisitions, contractor relationships), keep your approved domain list current
Need help getting started? Reach out to 7taps support and we'll guide you through the entire SSO setup process, from configuration to validation testing.