Webhooks & SSO

Webhooks push events out of EduPrime the moment they happen, and Single Sign-On lets staff and students log in with your existing identity provider – two integrations that keep external systems in step and access centrally controlled.

Where to find it — App drawer → Virtual Classroom → Attendance.
Webhooks & SSO
Webhooks & SSO in EduPrime.

Subscribing to events

Rather than polling the API, subscribe to webhooks – EduPrime sends an HTTP POST to your endpoint whenever a subscribed event occurs. Configure them under Settings → API & Integrations → Webhooks.

EventFires when
student.enrolledA student is admitted to a programme
invoice.paidA fee invoice is fully paid
result.publishedResults are released for a cohort
application.submittedAn online application is received
certificate.issuedA short-course or competency certificate is issued
  1. Register a callback URL (HTTPS only) and select the events to receive.
  2. EduPrime POSTs a JSON payload with the event type, timestamp and the relevant record.
  3. Respond 2xx quickly to acknowledge; do heavy work asynchronously.
  4. Failed deliveries are retried with backoff; persistent failures are queued for inspection.

Signature verification

Because a webhook endpoint is a public URL, you must verify each delivery genuinely came from EduPrime. Every POST carries an X-EduPrime-Signature header – an HMAC of the raw request body computed with your webhook signing secret.

  1. Take the raw request body (bytes, before parsing).
  2. Compute HMAC-SHA256(body, signing_secret).
  3. Compare it to the header value using a constant-time comparison.
  4. Reject the request if they do not match, or if the timestamp is too old (replay protection).
Important — Never trust a webhook on URL alone – always verify the signature before acting on it. An unverified endpoint that, say, marks invoices paid is an open door. Keep the signing secret out of source control and rotate it if it may have leaked.

Single sign-on

SSO lets users authenticate through your institution’s identity provider rather than a separate EduPrime password. EduPrime supports the common enterprise protocols:

  • OpenID Connect (OIDC) – OAuth 2.0-based; the typical choice for Google Workspace and Microsoft Entra ID.
  • SAML 2.0 – for identity providers and federations that standardise on SAML.

With SSO, joiners and leavers are managed centrally: disable an account in the IdP and access to EduPrime ends with it. You can map IdP groups to EduPrime roles so a user’s permissions follow their directory group.

Tip — Keep one break-glass local administrator account outside SSO. If the identity provider is ever unreachable, you can still get in to fix the connection – protect that account with a strong password and MFA, and audit its use.
Was this page helpful?