Overview: Using SSO to sign in to Unifrog
Need to share this with someone who doesn't have a Unifrog account? Here's the link.
----
In a nutshell
SSO allows students and teachers to login to Unifrog via their Google or Microsoft accounts, as well as by using their Unifrog usernames and passwords. It can make logging in much quicker! We do not charge for using our SSO integrations.
Getting started
Step 1: Ask us to switch SSO on for your school/college
The teacher who is the lead contact at your school or college (known as the 'Unifrog champion') needs to ask someone at Unifrog to switch it on for you.
You can see who the Unifrog champion is on the Teacher accounts page in Help on the teacher side.
The best way for the teacher champion to contact us is by email, or by sending us a message using the box on the Teacher accounts page in Help.
Step 2: Technical admin at your school/college giving permission
In almost all cases, a user with admin permissions for your school / college's Google or Microsoft account needs to grant access for other users at your school / college to login to Unifrog with SSO.
You should find out by speaking to your technical team if this is the case at your institution.
If someone at your school / college tries to login with SSO before the admin has given permission, they'll see an interface like one of the two below (as you can see, these interfaces instruct you to send the admin at your school / college a request to grant permission. We cannot send this request to them for you).
The Google version: 
And here's the Microsoft one: 
How do I know if my school / college has SSO switched on?
When SSO has been switched on, all teachers see a pop up on their teacher homepage telling them that SSO is now enabled. Teachers can also see their school / college SSO status here. And - of course - you'll be able to sign in using SSO!
Creating new student and teacher accounts after SSO is switched on for your school / college
SSO does not change how new student and teacher accounts are created (this is still either by syncing with your MIS, or on Unifrog manually / by csv upload). However, when new student and teacher accounts are created after SSO is switched on for your school / college, these new students and teachers can choose to login to Unifrog using SSO without ever choosing a Unifrog password. They can pick a Unifrog password later if they wish, meaning they can also login using the username and password method.
Hosted Domain (Google) and Tenant ID (Microsoft)
What is a Hosted Domain / a Tenant ID?
These are IDs for your school's or college's Google or Microsoft account, that we add for your school/college as part of the setup process for SSO.
Adding these makes it so that people with student or teacher accounts are only able to use SSO with official email addresses for your institution. If they use a personal email address they will not be able to use SSO, but they will be able to use the normal username and password login method.
SSO with Microsoft requires a Tenant ID to be added for your school or college.
For SSO to be used with Google it's not essential for us to add your institution's Hosted Domain, but we recommend it as it provides an extra layer of security.
Where do you find your Hosted Domain / Tenant ID?
A member of your technical team will know what your Hosted Domain / Tenant ID is. Normally you will give us this information when we first switch on SSO for your school / college.
Microsoft IDs are a code, eg 'abf988bf-86f1-41af-91ab-2d7cd011db46', while Google Hosted Domains are website domains, eg 'school.com'.
What else is there to know about Hosted Domains / Tenant IDs?
On Unifrog a school can have up to two Hosted Domains; often one is used for student accounts, and another for teacher accounts.
Sometimes, but not always, all the schools / colleges within a single school or college group use the same Hosted Domains / Tenant IDs. Your technical team will know if this is the case for you.
You can choose to have us set up Google SSO without initially giving us your Hosted Domain, and then we can add it later for you. However, Microsoft SSO only works with a Tenant ID added.
You can see your school's Hosted Domain(s) or Tenant ID on your Unifrog setup page.
SSO FAQs
What about SAML?
Unifrog's SSO integrations are not customer-configured SAML integrations.
For Google SSO, we use Google Sign-In and can restrict access using your institution's Google Hosted Domain.
For Microsoft SSO, we use Microsoft's identity platform and restrict access using your institution's Tenant ID.
You do not need to provide us with SAML configuration details such as an ACS URL, Entity ID, metadata XML, federation metadata, or similar information.
Do we need to register Unifrog as an app in Microsoft Entra ID?
No, you do not need to register Unifrog as an application in your Microsoft Entra ID environment (previously known as Azure Active Directory, or Azure AD).
Unifrog is a centrally hosted platform, and we manage the Microsoft SSO integration on your behalf. This means there is no need for your IT team to create an App Registration, Enterprise Application, or any other Microsoft Entra ID configuration specifically for Unifrog.
Some other platforms require each school or college to register their own application because they offer self-hosted or customer-managed deployments. Unifrog does not support self-hosting, so this step is not necessary.
A Tenant ID is required for Microsoft SSO. Before users at your school or college can sign in to Unifrog using Microsoft SSO, we must add your Microsoft Entra ID Tenant ID to your Unifrog setup. This restriction helps ensure that only users from your institution's Microsoft account can use Microsoft SSO to access Unifrog. Your technical team will be able to provide your Tenant ID as part of the setup process. If you're unsure what it is or where to find it, we can help point you in the right direction.
What about two-factor authentication and SSO?
For SSO, two-factor authentication is managed by Google or Microsoft, not by Unifrog, and it tends to be enabled as standard. Separately, for Unifrog's own username and password system, teachers can have two-factor authentication applied. If you already have a Unifrog teacher account you can find our guide about Unifrog's two-factor authentication for the username and password login method here.
Can parent accounts use SSO?
On Unifrog, parents can have their own dedicated sort of account which lets them: explore the platform like their child can, see opportunities particularly relevant for their child, and join live events for parents - see more here.
To create a parent account:
- First the parent's email address has to be added in the 'Parent / Guardian email address' field on their child's Unifrog profile by the school
- Next the parent opens their own account on this page
Regarding parents and SSO:
- Parent accounts are not tied to particular schools, so the Microsoft Tenant ID or Google Hosted Domain of their child's school is not relevant.
- Parents cannot use SSO with Microsoft, as Microsoft SSO requires a Tenant ID, and parent accounts are not tied to particular schools.
- Parents can use SSO with Google (and they can also use the email and password method),
What about data protection and permission regarding SSO? Do we need a DPIA to allow for us to use SSO?
Using SSO is provided for in our normal Privacy Policy, and a DPIA is unnecessary. You can find our Privacy Policy here: https://www.unifrog.org/privacy-policy
What to do if people have problems logging in after SSO is enabled?
If you're a teacher, you can check if your school / college has SSO enabled here.
If a student or teacher is having trouble logging in via SSO, it might be because their Google or Microsoft username is not the same as the one that exists on Unifrog. After you've updated the usernames on Unifrog, they should be able to login fine. Teachers can find guides on managing student accounts here, and guides on managing teacher accounts here.
If you are a google user, check out troubleshooting guide for Google users: access blocked when using SSO.
If you are a Microsoft user, check out our troubleshooting guide for Microsoft users: approval required when using SSO.
What sorts of devices work with SSO?
SSO works on any device where the user can sign into the Google or Microsoft account that's associated with their Unifrog username.
So, if at your school/college people can only sign into their Google or Microsoft account using a school or college device, you won't be able to use SSO on personal devices. However you'll still be able to sign in via the username and password method (and you can reset your password if you can't remember it, or haven't chosen one yet!)
My school / college is part of group. Can we have SSO switched on in bulk?
Yes you can. You need to ask your Unifrog contact to do this for you. Your Unifrog contact will need to know if you use Google or Microsoft, and what your Hosted Domain(s) / Tenant ID is (including whether this is the same for each member of the group).