Skip to main content
Enterprise SSO (SAML) is a feature that lets Admins connect Disco to their organization’s identity provider so every Member and Admin authenticates through that IdP to access the Academy. Enterprise SSO (SAML)

Overview

SAML SSO replaces Disco’s standard email, password, and social logins with the identity provider chosen by your organization. Once enabled, all authentication flows through providers like Okta, Microsoft Entra, Google Workspace, MiniOrange, or any SAML 2.0 compatible IdP. This gives Admins centralized control over access, lets the IdP enforce policies like multi-factor authentication, and automatically revokes access when someone is removed from the directory. SSO is an Enterprise feature and is applied at the Academy level.

Start a SAML Connection

SSO is configured from the Admin Console. There is no separate app to install.
  1. Go to Admin ConsoleIntegrations.
  2. Locate the Enterprise SSO (SAML) card under Available integrations.
  3. Click Connect to open the Configure SAML Connection drawer.
The drawer walks through a five-step wizard. Each step must be completed before the next is available.

Select the Identity Provider

In Step 1 of the wizard, choose the IdP that will handle authentication for your Academy. Supported providers:
  • Okta SAML
  • Microsoft Entra SAML
  • Google Workspace SAML
  • MiniOrange WordPress IDP Plugin
  • Generic SAML (for any SAML 2.0 compatible provider)
Selecting a provider loads provider-specific setup instructions for the next step.

Create the SAML App in the IdP

In Step 2, follow the on-screen instructions to create the SAML application inside your IdP. Disco generates two values that must be entered into the IdP during this step:
  • Entity ID identifies Disco as the service provider to the IdP.
  • Assertion Consumer Service (ACS) URL is the endpoint where the IdP sends the SAML response after a successful authentication.
Each field has a copy-to-clipboard button. Paste these values into the corresponding fields inside your IdP’s SAML configuration.

Configure the Connection

How Step 3 works depends on the provider selected in Step 1. For Okta, Microsoft Entra, and MiniOrange:
  1. Copy the SAML Metadata URL from your IdP.
  2. Paste it into the Metadata URL field in Disco.
  3. Disco fetches the SSO URL, IdP Entity ID, and certificate automatically.
For Google Workspace and Generic SAML:
  1. Enter the SSO URL from your IdP.
  2. Enter the IdP Entity ID.
  3. Paste the X.509 certificate issued by your IdP.

Test the Connection

In Step 4, click Test Connection. Disco opens a new browser tab and initiates an SSO login against the IdP.
  1. Log in through the IdP in the new tab.
  2. Disco verifies that the SAML response contains a valid email, first name, and last name.
  3. If the test passes, the wizard advances to the final step.
The Admin running the test must be logged into Disco using the same email address as their IdP account. If the emails do not match, the test fails. POV: Always run the test with a second Admin logged in on a different browser or device. If the IdP response is misconfigured and you enable SSO before catching it, the tested Admin can still access their account, but the second Admin gives you a safety net while you troubleshoot.

Enable SSO

In Step 5, click Enable SSO Connection. Disco then:
  1. Displays a set of single-use recovery codes. Save these immediately. They cannot be retrieved later.
  2. Locks down the Academy so that every Member and Admin must authenticate through the IdP going forward.
  3. Disables email and password login and social login for the entire Academy.
The Admin who ran the test in Step 4 is the only Admin who can enable the connection. If a different Admin opens the drawer, they must re-run the test first.

Manage an Active Connection

Once SSO is enabled, the Enterprise SSO (SAML) card moves from Available integrations to the Connected section of the Integrations page. The card shows the IdP logo, name, and a status badge. Status badges:
  • Enabled means SSO is active and every user logs in through the IdP.
  • Not Enabled means the connection has been tested but has not been turned on.
  • Needs Verification means the connection is configured but has not been tested.
  • Needs Configuration means setup was started but no credentials have been entered.
  • Metadata Refresh Error means the automatic metadata refresh failed.
The three-dot overflow menu offers two actions:
  • Modify Connection (or Complete Setup if not yet enabled) reopens the wizard or the Connection Details drawer.
  • Disconnect removes the connection and restores standard login.
Clicking Modify Connection opens the Connection Details drawer, where an Admin can:
  • View and copy the Entity ID and ACS URL.
  • Update the Metadata URL (for Okta, Microsoft Entra, and MiniOrange) or manage certificates (for Google Workspace and Generic SAML).
  • Enable or configure automatic metadata refresh for metadata-based providers.
  • Adjust the Session Length.
  • Toggle JIT Provisioning on or off.

Settings

Session Length

Session Length controls how long a user’s SSO session lasts before they are prompted to re-authenticate through the IdP. Set it in days, weeks, or months. The setting applies to every user in the Academy.

Just-in-Time (JIT) Provisioning

When JIT Provisioning is on, any user who successfully authenticates through the IdP is automatically created as a Disco Member on first login. When it is off, only users who already have a Disco account can log in. New users must be invited by an Admin before their first SSO login.

Automatic Metadata Refresh

Automatic metadata refresh is available for metadata-based providers (Okta, Microsoft Entra, MiniOrange). When enabled, Disco periodically re-fetches the SAML metadata from the saved Metadata URL, which keeps certificates in sync when your IdP rotates them. Refresh errors are shown on the connection card and inside the Connection Details drawer. Use the refresh button next to the Metadata URL field to trigger a manual refresh at any time.

FAQ

No. Disco does not currently support SCIM. User provisioning happens through Just-in-Time provisioning on first SSO login, or by inviting users from the Admin Console.
It is configurable. Admins set Session Length in days, weeks, or months from the Connection Details drawer, and the setting applies to every user in the Academy.
Existing Members are preserved. On their first SSO login, Disco matches them to their existing account by email address, and all their memberships, progress, and data stay intact. Nobody has to re-join a course or Program.
No. Once SSO is enabled, every Member and Admin must authenticate through the configured IdP. External users who are not in the directory cannot log in unless they are added to the IdP.
No. SAML SSO applies to the entire Academy, not to individual Programs. If some audiences need password login and others need SSO, those audiences need separate Academies.
Disco supports SAML 2.0, so any IdP that federates into Okta, Microsoft Entra, Google Workspace, MiniOrange, or another SAML 2.0 compatible provider can be used as the authentication source.
Users cannot log in while the IdP is unreachable. The recovery codes issued when SSO was first enabled allow a single user to bypass SSO for a 24-hour session. Each code can be used only once, and there is no other bypass mechanism.
Disco requires the IdP to send the user’s email, first name, and last name. If any of these attributes are missing from the SAML response, the test connection step will fail even if authentication succeeds.
On each SSO login, Disco syncs the user’s email to match whatever the IdP returns. If a Member’s email changes in the IdP, it updates in Disco on their next login.
No. Disco only re-authenticates with the IdP when a session expires. A disabled user keeps access until their current session ends, at which point the next login attempt is rejected by the IdP. Set a shorter Session Length if you need tighter revocation.
For metadata-based providers, leave automatic metadata refresh on and Disco pulls the new certificate the next time your IdP rotates it. For Google Workspace or Generic SAML, open the Connection Details drawer and upload the new X.509 certificate. At least one certificate must stay on the connection at all times, so add the new certificate before removing the old one.
Open the Enterprise SSO (SAML) card, click the three-dot menu, and choose Disconnect. Confirm the warning. All users revert to email, password, and social login.
No. SSO is all-or-nothing. Once enabled, every user in the Academy authenticates through the IdP.