Skip to content
Open the app

Integrations — SSO and roster sync

Institutions2 min read

First Six deliberately has a small integration footprint. To go live, two things connect to your systems: how people sign in, and how the student roster gets in. This page explains both at a level useful for the people approving the project; the step-by-step is in the developer docs.

Single sign-on

Students and staff sign in with your existing identity provider using standard OpenID Connect. The practical implications for you:

  • No new passwords. People use the university login they already have, with whatever MFA you enforce. First Six never sees a password.
  • You stay in control of access. Because sign-in goes through your IdP, disabling someone there disables their First Six access too.
  • Email fallback where there's no SSO. Institutions without SSO can use one-time email links instead.

The technical flow (OIDC with PKCE, token verification) is in the OIDC flow.

Sign-in links to a known person — it never creates one

A successful SSO sign-in attaches to a student or staff record that already exists from the roster. It cannot invent an account. That's a safety property: only people on your synced roster can get in. It also means the roster has to be connected first.

Roster sync

Your student records system feeds the roster — who's enrolled, in which program, at which campus — so the right students get the right experience. What matters at the decision level:

  • You push to us, on your schedule. A secure endpoint receives roster data; you control when it runs.
  • Safe to re-run. Sync is idempotent — running it again reconciles rather than duplicating — and it's rate-limited and size-capped.
  • Minimal fields. It carries what's needed to place a student: name, email, a student identifier, program, campus, and a first-in-family flag.

The field-level detail and security are in the SIS sync endpoint.

The order of go-live

Because SSO links to existing people, the sequence is: stand up the tenant and brand, sync the roster, then enable SSO. The full sequence is in onboarding, step by step.

Common questions

Which identity providers do you support?

Standard OpenID Connect providers, including Microsoft Entra ID. If your IdP speaks OIDC, it fits. See the OIDC flow.

Do you pull data out of our SIS automatically?

No — your side pushes roster data to the sync endpoint on your schedule. You control the flow and the cadence.

Are there other integrations to worry about?

Those are the two that matter for go-live. There are no outbound webhooks, and optional pieces (like an events feed) are additive, not required.

Onboarding, step by stepWhat rolling out First Six actually involves — who needs to be at the table, the sequence, and the pre-launch checklist.The OIDC flowHow First Six does single sign-on — the OIDC authorization-code flow, per-tenant config, and how a login links to a student or staff record.The SIS sync endpointPush your student roster into First Six — the endpoint, authentication, payload, idempotency, and rate limits.
Was this helpful?
Need more help?

The fastest answer is usually one question away.

Edit this page on GitHub