Knowly supports two Single Sign-On modes, both powered by WorkOS. Which one your organization uses decides who signs in through your identity provider and who signs in with an email link. This article explains the difference so you can pick the right mode for your setup and understand who needs to be in your identity provider.

With Full SSO, everyone in your Knowly organization signs in through your identity provider — administrators, participants, and managers. When someone enters their email on the Knowly sign-in page, they're sent to your identity provider to authenticate. Password-based sign-in is turned off for everyone.

Who needs to be in your identity provider. Everyone who uses Knowly. That includes administrators and trainers, participants and managers, and any external collaborators you invite. External email domains have to be added to your allow list, and those users need to be granted access in your identity provider.

In practice, organizations on Full SSO usually sync a broad group — for example "all employees" — so individual users rarely fall outside the group by accident. This makes Full SSO straightforward to operate once the initial connection is set up.

Best suited for organizations that require all access to be governed by the identity provider, with no exceptions. This is the most common choice for strict security and compliance environments.

​

Team Member SSO is a middle ground. Administrators and people with team memberships sign in through your identity provider. Participants and managers without a team membership sign in with the standard email link instead — no SSO setup required for them.

When a user enters their email on the sign-in page, Knowly looks at their role and team membership and routes them to either SSO or the email link flow automatically.

Who needs to be in your identity provider. Administrators (always), and anyone with a team membership. Participants and managers without a team membership can be invited and access learning journeys without existing in your identity provider, which makes it easier to include external participants like contractors, partners, or customers.

Important. Because only administrators and team members need to be in your identity provider in this mode, it's easy to forget that a new administrator also has to be added to the identity-provider group that's connected to Knowly. Adding someone as an administrator in Knowly alone isn't enough — they also need to be in that group, or they won't be able to sign in. See what to do when a new administrator can't sign in for the fix.

Users who are required to sign in via SSO can't change their email or password in their Knowly profile — those are managed in your identity provider.

Best suited for organizations that want SSO security for administrators and team members but need the flexibility to invite external participants or other users outside the identity provider through email.

​

The differences between the two modes come down to who signs in how, and who needs to exist in your identity provider.

Administrators and team members sign in via SSO in both modes.

Participants and managers without a team sign in via SSO on Full SSO, and via email link on Team Member SSO.

External participants must be added to your identity provider on Full SSO. On Team Member SSO, they can be invited by email without existing in your identity provider.

Password sign-in is off for everyone on Full SSO. On Team Member SSO, it's off only for users who are required to use SSO.

Identity provider required for. Everyone on Full SSO. Administrators and team members only on Team Member SSO.

​

SSO is activated by the Knowly team, not from within Knowly itself. To get started, email [email protected] or reach out to your contact person at Knowly. We'll send you the setup details you need to configure the connection in your identity provider, and switch your organization to the chosen mode once your side is ready.

​

Can we have multiple email domains? Yes. Your organization can have any number of email domains managed through your identity provider. Knowly adds them to your configuration on our side, and you assign access through your identity provider as usual.

What happens if someone outside the identity provider tries to sign in? They'll see an error from your identity provider saying they don't have permission to access Knowly, and should contact their IT department.

Can Knowly support access our organization? Only if you approve it. Knowly's email domain has to be added to your allow list in WorkOS, and you assign specific Knowly support personnel access through your identity provider.

Can we switch from Team Member SSO to Full SSO later? Yes. Contact the Knowly team to discuss switching modes.

Which identity providers are supported? All major providers through WorkOS, including Microsoft Entra ID (Azure AD), Okta, Google Workspace, Ping Identity, OneLogin, and any SAML 2.0 or OIDC-compatible provider.