1. Edrolo
  2. Frequently Asked Questions
  3. Admin Hub

SSO Configuration: Common Questions for ICT Staff

1. Before You Set Up SSO

1.1 Which Identity Providers (IdPs) does Edrolo support?

Edrolo supports any SAML 2.0-compliant identity provider. We have step-by-step setup guides.

1.2 Should I update user emails before enabling SSO?

Yes, and it's important to do this first. Any user whose Edrolo email doesn't match what your IdP sends will be blocked from logging in. This includes:

  • Users with old or personal email addresses: update these to the current school domain before enabling SSO.
  • Users affected by a recent domain change: update or re-provision their accounts with the new domain before switching SSO on.

1.3 Can our school use multiple email domains with SSO?

Yes. Edrolo supports multiple official domains: for example, separate domains for staff (@school.edu.au) and students (@students.school.edu.au). Both domains just need to be managed by the same Identity Provider (IdP), and the IdP must send the correct email in the SAML claim for each user.

2. What Happens When SSO Is Enabled

2.1 What changes the moment SSO is turned on?

  • Edrolo redirects all users to your IdP login page
  • Existing Edrolo passwords stop working
  • Previously inactive accounts reactivate on their first successful SSO login
  • The SSO email becomes each user's primary login identifier

2.2 Can teachers and students continue using manual (username/password) logins alongside SSO?

No. Once SSO is enabled, all users are redirected to your IdP and Edrolo passwords no longer work. If you need to temporarily restore manual login (for example, during troubleshooting), you can disable SSO:

Admin Hub → Authentication → uncheck "Enable SSO for all users" → Save

2.3 Will students and teachers lose their progress or data when SSO is enabled?

No. As long as each user's email address matches between Edrolo and your IdP, all data is fully retained.

3. Testing SSO

Can I test SSO for a small group of users before rolling it out to everyone?

Not currently — SSO must be enabled for all users at once. To test safely without risking a lockout, we recommend:

  • Schedule for after hours to minimise disruption.
  • Use the two-browser method: Keep your current admin session open in one browser window. Open a separate Incognito/Private window and attempt to log in with SSO credentials.
  • Quick rollback: If the test fails, use your original open session to turn SSO off immediately (Admin Hub → Authentication → uncheck "Enable SSO for all users" → Save).

4. Troubleshooting

4.1 What happens if the IdP sends the wrong email address?

The user will be unable to log in or will see an account mismatch error. The email your IdP sends must exactly match the email stored in Edrolo.

4.2 How do I turn SSO off if something goes wrong?

  1. Go to Admin Hub → Authentication
  2. Uncheck Enable SSO for all users and click Save

Users will immediately revert to the standard Edrolo login. Users who never set an Edrolo password can use the Forgot password link to create one. Your SAML configuration is preserved and can be re-enabled at any time.

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful