Always Learning

Before implementing the Legacy Inbound SSO, you will need to contact your Strategic Customer Operations (SCO) team to get your system ID and shared secret. See the Set Up page for more information.

The Inbound SSO process begins by making an API call to the Inbound SSO service. In that API call, you’ll include HTTP headers that will identify and authenticate your system with LearningStudio. If all goes well, LearningStudio will return a URL to which you can redirect the user.

Supported Roles

This approach can be used for any non-Administrator role in LearningStudio, including Students, Teachers, and Teaching Assistants. (Administrators should continue to sign in via AdminPages as normal; contact your SCO team for help.)

Authentication & HTTP Headers

When you make the API call to request an inbound SSO URL, you’ll use some HTTP Headers to identify and authenticate your system. Use the following headers in your request.

Header Name Value
ECLG_SSO-SystemID The system ID for your institution. Pearson assigns a unique system ID to each institution and you can get this from your SCO team during Set Up.
ECLG_SSO-MAC The HMAC Signature that uses the shared secret and some details from the request. The process for building this signature is below.
ECLG_SSO-Timestamp The ISO-8601 formatted timestamp using UTC time zone at the time the request is made. The format for the timestamp is
Important: This timestamp must be within five minutes of LearningStudio's server time. Please ensure your server clocks are properly synchronized with an official timekeeping service, such as NIST.

To build the HMAC signature, you’ll combine the timestamp, a portion of the API call, and the shared secret to create a hash. LearningStudio will follow the same procedure to verify the signature. You need not and never should transmit the shared secret itself. Here are the detailed steps for creating the signature:

  1. Take the timestamp from the ECLG_SSO-Timestamp header above, and concatenate it with your shared secret. There are no delimiters. For example:


    This value will be the algorithm key for the HMAC hash.

  2. Take the URI for the API call and create a SHA1 HMAC hash using the algorithm key from step one. Only use the portion of the URL after the domain, and include the query string parameters. For example, while you might make an API call to

    The value which you will hash is only:


  3. Base-64 encode the hash and include it as the value to the ECLG_SSO-MAC header.

Resource URLs

For this API, you’ll use a GET request and the hostname Then use this URI:

URI Description
/sso/{client_string}/tokenurl.rails Request an entry URL for the PSH or DCL.

Replace {client_string} with your campus client string, e.g., strata.

Query String Parameters

Name Description
u The user’s login ID (or username) in LearningStudio, which is typically the primary identifier for a user's account in your system. Every LearningStudio user must have a login ID, which is set up via AdminPages, or using one of the SIS Integration approaches.
c The call number for a course. Call numbers are external identifiers for a course, typically from the institution’s course catalog. Courses do not require a call number but they are required to use Legacy Inbound SSO for Direct Course Launch. Call numbers can be set up via AdminPages or using one of the SIS Integration approaches.

If you do not include the c parameter, the Inbound SSO will launch the user to the PSH. If you do include it, the Inbound SSO will directly launch the course.

Response Detail

The Legacy Inbound SSO API will return an XML response that includes the URL in an element called <tokenUrl>. Redirect the user’s browser to this URL using a standard HTTP 302 redirect.

<?xml version="1.0" encoding="UTF-8"?>

HTTP Response Codes

See HTTP Response Codes for the success and failure codes this API uses.



Endpoint for PSH Launch


Endpoint for DCL Launch


HTTP Headers

ECLG_SSO-SystemID: PublicuSsoAccount
ECLG_SSO-Timestamp: 2011-10-06T21:34:25Z



<?xml version="1.0" encoding="UTF-8"?>


You'll send this HTTP header to your users' browser.

HTTP/1.1 302 Found
2023 reads
Always Learning