Overview

Continuum now supports Single Sign-On (SSO) via SAML 2.0, allowing your institution to integrate site authentication with your existing identity provider. This means users can access your site seamlessly using the same credentials they use for other institutional resources, without needing to manage separate passwords or request individual accounts.

This document provides everything your team needs to understand, set up, and manage SSO access for your customers.
 

What is Single Sign-On (SSO)?

Single Sign-On (SSO) is a modern authentication approach that allows users to log in once and gain access to multiple connected applications using the same credentials. Rather than managing separate usernames and passwords for each service, SSO leverages your institution's existing identity provider—such as Okta, Open Athens, or another SAML-based system—to verify user identity.

Continuum uses SAML 2.0, an industry-standard protocol that ensures secure, encrypted communication between your identity provider and our platform.
 

Key Benefits

• Frictionless Access – Users can log in within seconds using credentials they already know, eliminating password management overhead.
• Unified Experience – SSO credentials extend across all institutional resources, creating a consistent access experience for end users.
• Enhanced Security – SAML-based authentication eliminates shared passwords, reduces phishing risk, and aligns with institutional security and compliance requirements.
• Automatic Access Management – User permissions are automatically mapped based on institutional entitlements. No manual provisioning needed.
• Reduced Administrative Burden – No need to create individual user accounts or handle access requests. Everything is managed through your identity provider.
   

How SSO Works

1. User clicks 'Sign in via Institution' on your site login page.
2. User authenticates with their institution using credentials they already know (username/password, MFA, etc.).
3. Identity provider securely sends user information back to your site via a digitally signed SAML assertion.
4. Continuum verifies the assertion and grants access. Entitlements are automatically mapped based on subscription configuration.
5. User is logged in and can immediately access your site based on their subscription access.
6. Alternative access methods, most SSO providers have a sign on button for your site that seamlessly logs the user into your site. Many company intranet sites also include a direct button that does the same.
    

For End Users: Getting Started with SSO

Logging In

7. Visit the site’s login page.
8. Click the 'Sign in via Institution' button.
9. Enter your institutional username and password (or use your institution's configured authentication method).
10. You'll be redirected to the website and automatically logged in.
11. Alternatively, users can log in directly via a link or button on their company intranet or dashboard from the SSO provider
     

What If I Don't Have SSO Enabled?

If your institution hasn't enabled SSO, you can still log in using your site username and password. Contact your institution's IT administrator to inquire about enabling SSO.

For Client IT Administrators: Setting Up SSO

This section provides technical guidance for IT administrators configuring SSO for Continuum. The setup process involves configuring both the customer institution's identity provider (IdP) and the customer’s site license in Continuum.

Prerequisites

• A SAML 2.0-compliant identity provider (e.g., Okta, Open Athens, or similar)
• Administrative access to both the customer’s identity provider (or their coordination) and Continuum administrator access
• At least one test user account in the customer’s identity provider
   

Setup Overview

The setup process follows these general steps:

1. Create an SSO site license user account in Continuum with basic organizational information. This should be separate from any other existing site license accounts for that customer
2. Configure Continuum as an application in your identity provider and obtain necessary configuration values.
3. Complete the Continuum SSO configuration with values from your identity provider.
4. Create test users and verify the connection works correctly.

Step 1: Create SSO Site License Account in Continuum

1. Log in to Continuum with administrator privileges.
2. Navigate to the user management section and create a new SSO site license user account.
3. Populate the following required fields initially:

• Organization Name – A friendly name identifying your institution (e.g., 'Acme University').
• Contact Email – An email address for the SSO contact person at the customer’s institution (must be unique to this account).
• Slug – A unique identifier using dashes between words (e.g., 'acme-university-sso'). This value will be used in your identity provider configuration.

4. Save this account. You will return to complete additional fields after configuring your identity provider.

Step 2: Configure Account With The Identity Provider

Note: The following examples use Okta, but the same principles apply to other SAML 2.0 identity providers like Open Athens. Consult the provider's documentation for specific field locations.

Configuration in Okta

1. Log in to the customer’s Okta admin console.
2. Create a new SAML 2.0 application for the customer’s SSO site license account.
3. Application Label: Enter the Slug value from the Continuum SSO site license account (e.g., 'acme-university-sso').
4. Most remaining fields will auto-populate once you enter the Application Label. Configure the following fields as needed:

• Configure SAML settings to use the customer institution's attribute mappings (email, first name, last name, etc.).

5. Assign at least one test user to this application (you'll use this account to verify the SSO connection).
6. Note the following values from the Okta application configuration—you'll need these for the customer’s SSO site license Continuum:

• IdP Metadata URL – Found under Settings → Sign-On → IdP Metadata URL
• Audience Restriction (SP Entity ID) – Found in the SAML settings
• Single Sign-On URL (ACS URL) – Found in the SAML settings
   

For Other Identity Providers (Open Athens, etc.)

The configuration steps for other providers are generally the same, the noted values and fields need to be configured in the SSO provider and in the Continuum SSO site license for the connectivity to work. 

Step 3: Complete Continuum SSO Configuration

Return to the SSO site license account you created in Continuum and complete the remaining configuration fields:

Step 4: Test the SSO Connection

1. Ensure you have created at least one test user in your identity provider (e.g., Okta) and assigned them to the website application.
2. Log out of the website if currently logged in.
3. Go to the website login page and click 'Sign in via Institution', also test using the SSO provider’s dashboard button or the customer institution’s intranet link or button.
4. Log in with your test user credentials from the identity provider.
5. Verify that you are automatically logged in to the website with the correct access level.
6. If the connection fails, check the configuration values in both systems and verify that SAML assertions are being properly signed and encrypted.

Entitlements and Access Management

Once SSO is configured, user access is automatically managed through entitlement mapping:

• Subscription products are defined in Continuum and linked to third-party entitlements from the SSO identity provider.
• Users are automatically granted appropriate access based on their entitlements in the SSO identity provider. No manual provisioning is required.
• Changes to entitlements in the identity provider are reflected in Continuum in real time on the user's next login. Subscriptions and access in the customer’s Continuum site license are the “source of truth” for access. 
   

Troubleshooting SSO Issues

User Cannot See 'Sign in via Institution' Button

• Verify that SSO configuration is complete in Continuum and published/enabled.
• Check that the user's institution has SSO enabled for the site.
• Clear browser cache and cookies, then try again

Login Fails After Clicking 'Sign in via Institution'

• Verify the user account exists in the SSO identity provider and is assigned to the website.
• Confirm all configuration values (IdP Metadata URL, Entity IDs, ACS URL, etc.) are correctly entered in both systems.
• Check that the SAML assertion is being properly signed and encrypted by the identity provider.
• Verify that attribute mappings (email, firstName, lastName) are correctly configured in both the identity provider and Continuum

User Logs In But Receives 'Access Denied'

• Check entitlement mappings between the identity provider and Continuum subscription products.
• Verify the user has the appropriate entitlements assigned in the identity provider.
• Contact Continuum support if the issue persists.

Support and Contact

For questions, issues, or assistance with SSO configuration:

• Contact your project manager for assistance.
• For technical configuration questions specific to the identity provider, consult that provider's documentation or support team.
• Include relevant error messages, SAML assertion details, and configuration settings when reporting issues.