Trainline Business Single Sign-On (SSO) with OpenID Connect

Single Sign-On (SSO) enables users to authenticate with the same credentials and gain access to multiple applications, without the need for multiple usernames and passwords. By using OpenID Connect, SSO integrates with identity providers (IdPs) like Microsoft Azure Active Directory/Microsoft Entra ID.

• Improved Security: Centralised authentication reduces the risk of weak passwords.
• Better User Experience: Users log in and can access multiple platforms, including Trainline Business.
• Streamlined Experience for Admins: Fewer password reset requests and easier user management when an employee leaves.

We support SSO using any providers supported by the OpenID Connect (OIDC) protocol, including (but not limited to):

• Microsoft Entra ID (Microsoft Azure Active Directory)
• Okta
• Ping Identity (PingFederate)
• OneLogin
• Keycloak
• Other Providers – if you use another OIDC-compliant provider, please specify in your request and we’ll get back to you

Prerequisites

Before you begin, ensure the following:

1. You have administrator privileges on your Identity Provider account.
2. You have decided how you’d like to invite users to our platform (see ‘Inviting users for SSO’ below).

How to set up SSO

Set up SSO configuration

1. As an admin, go to Authentication
2. Under SSO (Single Sign-On) select Set up
3. Enter:
   • Client ID
   • Client Secret
   • Well-known URL
4. Add the email domains that should use SSO
5. Select Create configuration

At this stage, SSO is configured but not active.

Test your configuration (Recommended)

Before activating SSO:

1. Copy the URL to test
2. Open an incognito / private browser window
3. Paste the URL and sign in with your work email
4. Complete the login with your Identity Provider
5. If successful, you’ll see a confirmation message

Using an incognito window prevents conflicts with saved sessions or personal accounts.

If testing fails, check your IdP settings and ensure you are logging in with your work email that you have a Trainline Business account with.

Activate SSO

Once testing is successful:

1. Select Activate SSO
2. Confirm activation

After activation:

• Password login is disabled for all users on your account, only SSO sign in permitted
• Users do still need to be invited to Trainline Business before being able to log in with SSO (see below) 

Inviting users for SSO

We do not currently support provisioning or SCIM. For a user to log into the platform via SSO, they must be invited to the platform first. We recommend using our share link feature and sharing it with your employees, so they can sign up to the platform automatically – saving your admin time.

Need to invite many employees at once? Please specify in your request above that you’d like to access the bulk invite feature, which sends each employee an invite to your account on Trainline Business. Simply share a CSV file with the employee details, and we’ll take care of the rest.

Additional Information for Entra ID

• The Trainline Business app is not published in the Entra App Gallery. Do not use the app that appears in the gallery search. Instead, create a new App Registration.
• Once created, the app registration will display the required details, including the Client ID and Well-Known URL.
The Well-Known URL can be found under the Endpoints tab.
• Generate the Client Secret manually in the Certificates & secrets tab (left-hand menu).
Make sure to copy the secret value (not the Secret ID).
Set the expiration in line with your company policy. Corporate administrators are responsible for renewing secrets before they expire.
• The Identifier (Entity ID) and Reply URLs will be provided during the Trainline Business setup process.
• For claims configuration, the default user “read” permission is sufficient.

1. Can I use SAML? Currently, we only support OpenID Connect-compatible providers. Please submit the form above to check whether your provider is compatible.
2. What happens to existing employee accounts? Existing accounts can be linked to SSO during the first login attempt.
3. How can I update my SSO settings, or disable SSO? Admins can update SSO settings directly:
   1. Go to Authentication
   2. Select Edit configuration
   3. Update your Client ID, Client Secret, Well-known URL, or domains (or delete your configuration)
   4. Save changes
   5. We recommend testing your configuration again if making updates. 
4. Once SSO is set up, can the users access the system without it? No, once SSO is enabled for a specific company account, users with accounts can only log in via SSO.
5. One of my employees has moved divisions. How can I change their access? You will need to remove them from the Trainline Business account (i.e. division) they are leaving, before adding them to the new one.
6. Does Trainline Business support Provisioning or SCIM? We do not currently support provisioning or SCIM. For a user to log into the platform via SSO, they must be invited via link first (or be invited individually via email).
7. What do I do when an employee leaves my company & I don’t want them to access Trainline Business anymore?
   Users deactivated on SSO will not be able to log into Trainline Business due to SSO enforcement, which is handled by your Identity Provider.
   To note: if your company used Trainline Business before implementing SSO, any users that had access via regular email/password will need to be manually removed by an admin via the employee management area.