PLTW in Platform 2.0

Options for Supporting the PLTW Instructor Pipeline

How do we preserve the PLTW lead-gen funnel as we migrate to Platform 2.0? This document presents the current state, the gap, and four options for the team to evaluate.

Prepared by: SolidProfessor Engineering Document Version: 1.0 Date: February 2026 Status: For Team Discussion

The PLTW User Journey Today (Legacy)

Project Lead The Way (PLTW) is a nonprofit that provides STEM curriculum to K-12 schools across the United States. PLTW instructors are a significant source of leads for SolidProfessor's education business. Here is how the pipeline works today:

Instructor on
PLTW website

→

Clicks link
to SP

→

Signs up for
individual account

→

"Login with PLTW"
(OAuth 2.0)

→

Tagged as lead
in Salesforce

→

Sales outreach
& EDU conversion

An instructor is on PLTW's website and discovers SolidProfessor through a partner link.
The instructor clicks through and signs up for an individual SolidProfessor account — not a school account, just a personal one.
On the SP login page, the instructor can use the "Login with PLTW" button, which authenticates them through PLTW's Okta instance using a custom OAuth 2.0 flow.
The new user is automatically tagged as an "SP Web" lead in Salesforce, flagged as PLTW-sourced.
The sales team reaches out to the instructor and attempts to convert them to an EDU (education) account.
If converted, a school account is created and the user becomes an Instructor with access to classes, student management, and reporting.

~4,000

PLTW teachers in the pipeline, representing 30–40% of K-12 prospects. This is a critical lead source flagged by Sales for the 2.0 migration.

Technical detail: This flow was fully implemented and working in the legacy application (legacy-app/). The PLTW login is a custom OAuth 2.0 integration (not SAML), using PLTW's Okta instance (pltw-ext.okta.com) with a shared client_id/secret for all of SolidProfessor. The legacy backend (OauthPLTW.php, OauthClientController.php) handles the full flow including auto-provisioning PLTW users with a 1-year plan. However, this integration was never fully ported to Platform 2.0 — the Platform 2.0 codebase (platform-frontend + platform-backend) contains partially implemented dead code. See Page 3 for the full gap analysis.

What Platform 2.0 Supports Today

Platform 2.0 (the Nuxt 2 / Vue 2 frontend) has a modern SAML SSO implementation for enterprise accounts. Here's how it currently works and where the gaps are for PLTW:

SAML SSO (Company & School Accounts)

SAML is fully supported for company and school accounts only. An admin configures SAML via Account → SAML Configuration → Email Domains in platform-admin. When a user logs in, their email domain is detected, they're routed to their organization's Identity Provider, and upon successful authentication they are auto-provisioned into the company/school account.

Individual Accounts

Individual accounts support email/password or social login (Google, LinkedIn). There is no SAML support for individual accounts — the platform-admin UI explicitly filters out SAML onboarding strategies for individual account types.

PLTW OAuth in Platform 2.0 — Dead Code

While PLTW OAuth was fully working in the legacy application (legacy-app/ with hardcoded credentials in OauthPLTW.php), the integration was only partially ported to Platform 2.0. Class files exist in platform-backend (PltwServiceProvider.php, OAuthProvider.php enum), but the integration was never fully wired up:

platform-frontend: The PLTW login button is not rendered — LoginForm.vue's socialMediaButtons array only includes Google, LinkedIn, and SAML. CSS and logo assets exist in SocialLoginButton.vue but are unreachable.
platform-backend Socialite driver: Not registered — EventServiceProvider.php only registers Cognito; no PLTW handler is wired.
platform-backend config URLs: Missing — config/urls.php has no urls.pltw.* entries.
platform-backend credentials: Missing — config/services.php has no PLTW client_id or client_secret. (The legacy app had these hardcoded in OauthPLTW.php.)

Bottom line: Even adding the frontend login button alone would fail — the Platform 2.0 backend Socialite driver isn't registered and there are no configured OAuth endpoints or credentials. Any option that uses PLTW OAuth requires completing the port from legacy to Platform 2.0, not just a UI change.

Gap Analysis

Capability	Platform 2.0 Status
SAML SSO for school/company accounts	Supported
SAML SSO for individual accounts	Not supported
PLTW OAuth login	Dead code — partially implemented, non-functional
Individual → EDU account conversion	No tooling exists
Lead source tracking (PLTW tag)	Needs Salesforce alignment

The core problem: Platform 2.0's SAML SSO only works at the company/school account level. PLTW instructors sign up as individual users first. Without a path for individual PLTW authentication in 2.0, the entire lead-gen funnel breaks when we migrate off the legacy frontend.

A

PLTW "Umbrella" Academic Account

Low Effort

How It Works

Create a single academic account for PLTW in platform-admin and configure SAML SSO against PLTW's Okta instance. All PLTW instructors would land in this shared "umbrella" account as Learners. When sales converts an instructor, they manually move the user to the instructor's own school EDU account.

Implementation

No code changes required — this is purely configuration:

Create a PLTW academic account in platform-admin
Configure SAML SSO with PLTW's Okta IdP metadata
Map PLTW email domains to this account in AWS Cognito
All PLTW-authenticated users auto-provision into this holding account

Pros

Uses existing SAML infrastructure as-is
All PLTW users visible in one place for sales
SSO works on day one with no development
Zero engineering effort

Cons

Instructors aren't truly "individual" — they're in a shared holding account
"Moving" a user to a different school account requires manual admin work
Doesn't match the legacy individual signup experience
Seat management for 4,000+ users in one account becomes unwieldy
Reporting is muddied — one giant account, not individual leads

Key concern: This changes the PLTW user experience fundamentally. Instead of getting their own individual account, instructors land in a shared "holding pen." Sales would need a process to extract users from this account, and we have no tooling for cross-account user transfers today.

B

Keep PLTW OAuth (Preserve Legacy Pattern)

Medium Effort

How It Works

PLTW OAuth was fully working in the legacy application but was only partially ported to Platform 2.0 (see Page 3). This option completes that port — wiring up the platform-backend Socialite driver, adding configuration and credentials, and adding the "Login with PLTW" button to platform-frontend. Individual accounts are created exactly as the legacy flow works today.

Implementation

Register the PLTW Socialite driver in EventServiceProvider.php — create a PltwExtendSocialite event handler (currently only Cognito is registered).
Add PLTW endpoint URLs to config/urls.php — add urls.pltw.authorize, urls.pltw.token, and urls.pltw.userinfo entries.
Add PLTW client credentials to config/services.php — wire client_id and client_secret from environment variables.
Configure environment variables for PLTW OAuth endpoints and credentials across all deployment environments.
Add PLTW to the socialMediaButtons array in LoginForm.vue to render the "Login with PLTW" button on the Platform 2.0 login page.
Verify PLTW's Okta OAuth endpoints are still active and accepting client credentials — coordinate with PLTW if endpoints have been decommissioned.
Test the full flow: PLTW login → OAuth redirect → callback → individual account creation → session.

Pros

Preserves the lead-gen funnel exactly as-is
Individual accounts match the legacy experience
Class files already exist — wiring work is well-defined
Fastest path that maintains the individual signup flow

Cons

More backend work than previously assumed (Socialite registration, config, credentials)
Maintains a custom OAuth integration we were moving away from
PLTW's OAuth endpoints must still be active on their side (unverified)
Still no Individual → EDU conversion tool
One-off integration — doesn't scale to other partners

Effort note: This is more than just adding a button. While the legacy app has a fully working implementation, the Platform 2.0 port is incomplete — the platform-backend Socialite driver must be registered, OAuth endpoints and credentials must be configured, and the platform-frontend button must be added. Effort is Medium, not minimal.

Source files: PltwServiceProvider.php (OAuth provider class), OAuthProvider.php (enum registration), EventServiceProvider.php (Socialite driver registration — missing PLTW), config/urls.php (endpoint URLs — no PLTW entries), config/services.php (credentials — no PLTW entries), LoginForm.vue (socialMediaButtons array — no PLTW), AuthenticationController.php (login flow), SocialLoginButton.vue (platform-frontend button/CSS for reference).

C

SAML SSO for Individual Accounts

Med-High Effort

How It Works

Extend the platform to allow individual accounts to have SAML configurations. Today, SAML is only available for company and school accounts because the admin UI and backend logic explicitly filter it out for individual account types. This option removes those restrictions and creates a new provisioning path for individual SAML users.

Implementation

Platform-admin: Remove the filteredOnboardingStrategies filter in AccountForm.vue (line ~607-615) that blocks SAML strategies for individual accounts.
Backend: Update AuthenticationController SAML callback to handle individual accounts — skip the ProvisionUserToCompany step and create an individual account instead.
Backend: Update SamlEmailValidation rule to not require a Company. Allow AccountDomain records without a Company association.
Create a new onboarding strategy variant for individual SAML that handles the "create individual account, not company member" flow.

Pros

Generic solution — benefits any partner wanting individual SSO
Clean architecture: SAML works for all account types
PLTW becomes "just another SAML configuration"
Future-proof for additional partner integrations

Cons

Larger engineering effort (backend + admin + testing)
Changes the fundamental assumption that SAML = enterprise
Need to define what "individual SAML account" means for provisioning
Edge cases: what happens if an individual SAML user later converts to EDU?

Architectural question: Today, a SAML login triggers ProvisionUserToCompany which auto-assigns the user to a company/school. For individual SAML, we'd need a new path: SAML assertion → validate → create individual account → session. This is a meaningful change to the authentication architecture.

D

Hybrid: OAuth Onboarding + SAML After Conversion

High (Phased)

How It Works

Combine the best of both worlds: keep PLTW OAuth for the initial individual signup (preserving the lead-gen funnel), and when sales converts an instructor to EDU, set up SAML SSO on the school account. Build an "account conversion" tool in platform-admin to streamline the Individual → EDU transition that sales performs today manually.

Phased Implementation

Phase 1 — PLTW OAuth in Platform 2.0

Same as Option B: complete the PLTW OAuth integration (backend wiring + frontend button).

Register Socialite driver, configure endpoints and credentials (see Option B steps 1–4)
Add PLTW social login button to Platform 2.0 login page
Verify OAuth callback creates individual accounts correctly
Tag PLTW-sourced users for Salesforce lead tracking

Phase 2 — Account Conversion Tool

Build a tool in platform-admin for the sales-to-EDU workflow:

Select individual user → create or assign to a school account
Change user role from Individual to Instructor
Migrate user data (progress, certificates) to the new account context
Optionally configure SAML SSO on the school account

Phase 3 — Lead Tracking

Ensure full visibility for the sales pipeline:

Tag PLTW-sourced users automatically in Salesforce
Dashboard for sales to view PLTW leads and conversion status

Pros

Best of both worlds: easy onboarding + enterprise SSO after conversion
Matches the actual sales workflow (individual → EDU)
Conversion tool benefits all sales workflows, not just PLTW
Phase 1 is well-defined (same scope as Option B)

Cons

Largest total engineering effort across all phases
Two-phase delivery — full value takes longer
Conversion tool is complex (user data migration, role changes)

Strategic value: The account conversion tool (Phase 2) solves a broader problem than just PLTW. Today, every Individual → EDU conversion is a manual, error-prone process. Building this tool benefits every sales conversion workflow.

Recommendation Matrix

Criteria	Option A Umbrella Account	Option B Keep OAuth	Option C Individual SAML	Option D Hybrid
Engineering Effort	Low	Medium	Med-High	High (phased)
Preserves Lead Funnel	Partially	Yes	Yes	Yes
Individual Experience	No	Yes	Yes	Yes
Conversion Tooling	No	No	No	Yes
Code Changes	None	Moderate	Significant	Phased
Future-Proof	Limited	Limited	Yes	Yes
Time to First Value	Immediate	2–3 weeks	4–6 weeks	2–3 weeks*

* Option D Phase 1 delivers the same value as Option B in 2–3 weeks. Full value (conversion tool) takes longer.

Open Questions for Team Discussion

Is the PLTW OAuth endpoint still active? We need to verify that PLTW's Okta instance still accepts our OAuth client credentials. If not, Options B and D (Phase 1) require coordination with PLTW.
How does sales currently "convert" Individual → EDU? Understanding the manual process helps us assess the value of the conversion tool in Option D and informs whether we need it regardless of the PLTW decision.
Do we need individual SSO for other partners beyond PLTW? If yes, Option C becomes more attractive as a generic solution. If PLTW is unique, the cost of Option C may not be justified.
What's the priority: quick win or long-term solution? Options A and B can be delivered immediately. Options C and D solve deeper architectural problems but take longer. The answer depends on when the legacy frontend is being retired.

Source files referenced in this document: PltwServiceProvider.php, OAuthProvider.php, EventServiceProvider.php (Socialite registration), config/urls.php (endpoint config), config/services.php (credentials config), LoginForm.vue (socialMediaButtons array), AuthenticationController.php, AccountSamlConfiguration.php, SamlEmailValidation.php, AccountForm.vue:607, SocialLoginButton.vue