What is Single Sign-On (SSO) and how does it work in Purple Mash?

Updated 2 months ago by Lawrence

What is Single Sign-On (SSO)? 

Single Sign-On (SSO) allows staff to use their Office 365 or Google (GSuite) email address as their login, thereby using the the same password they already use for those services.

The benefit is that staff do not have to remember separate passwords. All password resets and changes are handled by either their Office 365 , not Purple Mash (although staff can continue to also maintain their original username and password in Purple Mash, also).

To enable a school to use Single Sign-On, a school administrator must contact our Support team to request it to be enabled for their school account. A school can use Google (personal or GSuite) or Office 365 - or both. Below is an example of a sign-on box for a school that has enabled both:

What to know about using SSO with Purple Mash

Email Matching: A school admin must first input the relevant Office365 or Google email address in the school's 2Lasso Administrative Dashboard in order for SSO to work. The first time a staff member logs in with their Google or Office 365, a window will pop-up and ask the staff member to authenticate via the relevant service. The email address of the Office 365 or Google login must match what is in 2Lasso in order to match the staff member with their Purple Mash account. We do not store the login credentials (or even see them) when access is authenticated via SSO, but we do match the email address to the user within Purple Mash.

Password Changes: If a staff member changes their Office 365 or Google password (or is required to by their IT department), the next time they login to Purple Mash, they'll be prompted to input their relevant password again. Normally, unless a recent password change has taken place, Purple Mash will bypass the full login screen so that clicking on the Google or Office 365 Sign In button will take the staff member straight into their Purple Mash account.

Only for Staff: Using a Single Sign-On (SSO) works only for staff. Pupils do not use email addresses to sign on to Purple Mash. Pupil logins will continue to be managed by an administrator of a school's Purple Mash license.

Class Assignments: Staff still need to be assigned to classes via the 2Lasso Administrative Dashboard. SSO does not obviate the need for class assignments.

Role Designations: Purple Mash school administrators still need to designate staff roles (as either teachers or admins). SSO does not know by itself what rights or permissions a teacher has.

VLE (Virtual Learning Environments): If your school uses a VLE to access Purple Mash, we do not recommend also using SSOs within Purple Mash. Your VLE may permit using SSO so you may wish to contact them to find out more about that possibility.

Sample SSO Login Windows

When you first login to SSO (or after a password change), you'll see one of the following:

Office 365 SSO
Office 365 SSO

Google SSO
Google SSO

To Remove or Revoke SSO Access

For an entire school: Contact our Support Team to have us disable SSO access for your school account. A school administrator must be the person to contact us.

For an individual: Visit the following places to revoke SSO access to your school's Purple Mash account. (Depending on your access rights, if your Office 365 or Google account is managed by your school or your school's IT department, you may not have access to these areas).

  • Office 365: Visit https://portal.office.com/account/#apps (App Permissions) and view the top where it says "You can revoke permission for these apps". Click Revoke at the bottom left of the Purple Mash box:


How did we do?