# Single Sign-On

Refer to this Wikipedia article for background information about [Single Sign-On](https://en.wikipedia.org/wiki/Single_sign-on).

Shift iQ supports three industry-standard mechanisms for SSO:

1. Azure (Office 365)
2. Google
3. Learning Tools Interoperability (LTI)

We do not implement or support custom SSO mechanisms due to the potential security and privacy risks associated with them.

### Learning Tools Interoperability (LTI) <a href="#learning-tools-interoperability-lti" id="learning-tools-interoperability-lti"></a>

Here are some additional details for using LTI for SSI with the Shift iQ platform.

While LTI is not primarily designed as a SSO mechanism, some of the data it passes in a launch request is about the user. LTI works on the basis of a trust relationship between systems, which is established by means of a key and a secret. This makes it much simpler than providing access to a common identity server.

In LTI, a user is authenticated by a primary system and then can be passed to another system (internal or external) by way of a signed launch message. The system that receives this message verifies its authenticity by inspecting its digital signature, and then implicitly trusting the data it carries; thereby eliminating the need to authenticate the user a second time or reconfirm the user’s identity.

This approach makes LTI a low-cost option for implementing SSO between systems.

Refer to this article for details: [LTI as a SSO Mechanism](https://www.imsglobal.org/learning-tools-interoperability-sso-mechanism)

An LTI launch message submitted for SSO access to Shift iQ looks something like this:

<figure><img src="/files/67YKEGAfMk5WSWqvbgIK" alt=""><figcaption></figcaption></figure>

The LTI Launch message is signed with a secure digital signature, using [HMAC-SHA1](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.hmacsha1?view=net-7.0) or [HMAC-SHA256](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.hmacsha256?view=net-7.0), with a secret key that is shared between the two systems.

When Shift iQ receives this message from a user’s web browser, it validates the signature on the message to confirm it is a legitimate interoperability request from an authorized external system.

If request is valid, then Shift iQ authenticates the learner and navigates to the requested course in the Shift iQ Learning Portal.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.shiftiq.com/developers/integrations/single-sign-on.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.