As part of a technical update, the central login process for WebUntis is being modernized.
This change affects all schools that use SSO (Single Sign-On) for authentication.
The transition may require technical adjustments on your side and must be completed no later than July 1, 2025. After this date, only the new central SSO domains will remain functional.
These adjustments are necessary to ensure the functionality of the login process.
Please make sure to schedule the transition in a timely manner.
Am I affected?
The transition affects all schools that use one of the following technologies for login:
-
OpenID Connect (OIDC)
-
Office365 (O365)
-
SAML
You can recognise whether your school uses one of these applications by the fact that settings are entered here or entries are made in the individual fields.
How to check your configuration:
In WebUntis, navigate to Administration > Integration
and check whether one of the three technologies is in use.
If the input fields are empty, you do not need to do anything else - you can stop reading here.
If there are entries, please continue reading!
Timeline
🟡 When can testing begin?
Testing of the new SSO integrations will be possible starting June 5, 2025, at 3:00 PM, with the WebUntis release 2025.13.0.
🟢 Parallel operation until the deadline
-
Period: June 5, 2025 – June 30, 2025
-
During this timeframe, both the old and the new SSO variants can be used simultaneously.
-
This allows for risk-free testing and a gradual transition.
You are free to choose the time within this period that best suits your school for the switch.
🔴 Starting July 1, 2025
-
Only the new central domains will be valid.
Without the transition, your users may no longer be able to log in.
Technical Transition: What needs to be done?
1. Allow-list domains
If your school network uses a filter or firewall, please ensure that the following domains are allow-listed:
-
o365.webuntis.com
-
oidc.webuntis.com
-
saml.webuntis.com
Note: If needed, please contact your IT administration.
2. Implementation depending on SSO technology
🔹 Office365
-
No further action is required in this case
🔹 OIDC
-
In your Identity Provider (IDP), you must register the domain
oidc.webuntis.com
as an Allowed Redirect Host:-
Callback URL: https://oidc.webuntis.com/WebUntis/oidc/callback
-
Logout URL: https://oidc.webuntis.com/WebUntis/
-
🔍 Note:
In Azure AD, it is sufficient to add the domain once to the list of redirect URIs.
With other IDPs (e.g., Keycloak, Auth0), you may need to enter login and logout redirect URIs separately.
-
-
In WebUntis, activate the option
Use central redirect URI (Preview)
-
Click Save
-
Test the login
If login issues occur after the change, you can simply deactivate the option again.
Then please contact your regional WebUntis support.
🔹 SAML
-
Check Registration ID
Go toAdministration > Integration > SAML
and check whether the Registration ID field is filled in.
If it’s empty: Please contact your regional WebUntis support.
This field only needs to be filled in if your school uses SAML, i.e. if settings are stored here. -
Import new metadata
Click the button Download new Metadata XML and upload the XML file to your SAML IDP (e.g., Azure AD, Keycloak, etc.).
The rest of the configuration in the IDP remains unchanged. -
Test login
Click “Test Login” to verify the new SAML integration. -
Enable for all users
Then enable the checkbox “Use new SAML-implementation” and save your changes.
⚠️ Special case: Are you already using the new SAML implementation?
-
In the ‘SSO Provider’ field, add the suffix “-redirect”
-
Click Save
-
Click the button “Download new Metadata XML” and upload the XML file to your configured SAML IDP (e.g., Azure AD, Keycloak, etc.)
Support
- If you have any questions, please contact your regional WebUntis support.