Skip to content
Open the app

How do we test SSO before launch?

Developers1 min read

You can run the entire SSO flow end to end without your institution's real identity provider, using the built-in test IdP (FakeU).

What FakeU is

FakeU is a small OpenID Connect provider built into First Six for exactly this purpose. It implements the real endpoints (authorize, token, jwks) and mints valid tokens against demo personas, so the callback, identity linking, and session minting all run through the genuine code path. Nothing is stubbed.

How to use it

Point the institution's sso_config at the test provider and pick a persona:

  1. Set the config's issuer to the FakeU endpoint and client_id to the test client.
  2. Start the normal sign-in. You are redirected to a persona picker instead of a real login screen.
  3. Choose a student or staff persona scoped to the tenant.
  4. The callback runs as it would in production: the token is verified, the identity is linked to the persona's record, and a session is set.

Because it exercises claim_sso_identity for real, it also validates that your roster is in place, which is the most common pre-launch snag.

It's off in production

FakeU is disabled in production unless it is explicitly enabled, and it requires its signing key to be configured. It is a pre-launch and staging tool, not something that can be left reachable on a live tenant.

When to switch to the real IdP

Once the flow works against FakeU and your roster syncs cleanly, swap sso_config to your real IdP (for example Microsoft Entra) and run the same test with a real account. If the roster is right, the only thing that changes is where the login screen comes from.

Was this helpful?
Need more help?

The fastest answer is usually one question away.

Edit this page on GitHub