Pathwright integrates with external authentication systems via the SAML 2.0 and OpenID Connect protocols. In practice, this allows your school members to sign in with their credentials for other authentication services such as Google Suite, Microsoft Active Directory, Auth0, or other custom integrations.

When logging in via a single sign-on implementation, the user will be redirected to your organization's login pages to authenticate their Pathwright session. In addition, Pathwright maintains links to your external database and automatically updates user profile information when it changes on the identity server.



How SSO works

When a user begins to sign into Pathwright via an external identity provider, they will be redirected to your authentication service to sign in. Pathwright receives a response from the authentication server either allowing or denying the authentication request based on user permissions.

All Pathwright users are uniquely identified by an email address, however for SSO, this email address can be updated by your SSO integration automatically, so long as the unique ID provided by the SSO integration is not the email address. This means that for SSO integrations, Pathwright's platform uses the unique identifier from your identity provider to complete the authentication process.

When the authentication process is complete, Pathwright uses the unique identifier for the user that is provided by your authentication server to locate the correct user to sign into. At this time, any user profile information such as name and email will be updated on Pathwright if the attributes reported by the identity provider are different from those stored in Pathwright. If a user does not exist on Pathwright for the external user in your database, a new Pathwright user is created with the email address reported by the identity provider.

Afterward, the user authentication process is complete, and the user will receive access to your school.

Implementation outline