Account, Pricing & Access

SAML Single Sign-On (SSO) setup

PathologyLabTraining supports SAML 2.0 single sign-on so your members can sign in with their institutional credentials (Microsoft Entra / Azure AD, Okta, Shibboleth, Google Workspace, or any SAML-compliant IdP).

We are also registered on the UK Access Management Federation for trusted federation between UK universities and NHS bodies.

How to configure (90% of IdPs)

Import our published metadata into your IdP. Every modern IdP supports this — it pulls the entity ID, ACS, SLS, NameID formats, certificate, and supported bindings in one step. No manual entry needed.

• SP metadata URL: https://pathologylabtraining.co.uk/saml/sp/metadata
• UK Federation entities: pull our metadata directly from the UK Federation trust fabric (search for pathologylabtraining.co.uk); no manual configuration needed.

Quick facts (if your IdP asks)

Setting	Value
Entity ID (SP)	https://pathologylabtraining.co.uk/saml/sp
NameID formats supported	persistent, transient
Signature algorithm	RSA-SHA256
Certificate, ACS, SLS	Inside the published metadata above — your IdP imports them automatically.

Required SAML attributes

Map the following attributes on your IdP (names not strict — your administrator can rename):

• email (required) — primary user identifier
• firstName — given name
• lastName — family name
• eduPersonAffiliation (optional, UK Fed) — member / staff / student
• eduPersonPrincipalName (optional) — for federated environments

If you cannot set firstName/lastName, the user will be prompted to provide them on first sign-in.

Per-organisation configuration

We maintain a per-organisation SAML configuration in our database. Your organisation admin (on PathologyLabTraining) requests SSO setup via Admin Dashboard → Settings → SSO. The PathologyLabTraining team then:

1. Generates an org-specific ACS URL (e.g. /saml-acs/{organizationId})
2. Imports your IdP metadata (from a URL, file upload, or paste)
3. Maps attribute names if they differ from defaults
4. Tests with a sample user before enabling

UK Access Management Federation

If your institution is on the UK Federation, we are listed as:

• Service name: PathologyLabTraining — Biomedical Science Laboratory Training
• Entity ID: https://pathologylabtraining.co.uk/saml/sp
• Registered for category: research and scholarship

Your IdP can pull our metadata directly from the UK Federation trust fabric without manual configuration.

Sign-in flow

1. User goes to /login
2. Clicks Sign in with SAML
3. Enters their institutional email
4. Redirected to your IdP for authentication
5. After successful auth, redirected back to PathologyLabTraining with org access applied automatically

For organisation-specific deep links, use /auth/saml/login/:organizationId.

Single Logout (SLS)

We support SP-initiated SLS. When a user signs out of PathologyLabTraining, we POST a LogoutRequest to your SLS endpoint. If your IdP does not support SLS, configure SP-only logout — users will be signed out of PathologyLabTraining but their IdP session continues.

Common issues

• InvalidNameIDPolicy — your IdP is sending emailAddress NameID. We removed emailAddress support per UK Fed guidance; use persistent or transient.
• Signature mismatch — check that your IdP is using SHA-256, not SHA-1.
• No attributes received — verify your IdP is releasing attributes to our SP entity ID, not just authenticating.
• Clock skew — our SP allows ±5 minute clock skew on SAML responses. If you see "response not yet valid" errors, sync clocks via NTP.

For setup help, contact us via your account manager or [email protected] with the subject "SSO setup — {your organisation}".

Admin contact

All SAML SSO enquiries — initial setup, IdP metadata exchange, attribute mapping, NameID changes, certificate rollovers, federation queries — go through [email protected]. The message is routed to the responsible platform admin within one working day.