SAML 2.0 SSO

SAML 2.0 SSO

Overview

SAML (Security Assertion Markup Language) is an XML-based, open-standard data format for exchanging authentication and authorization data between an identity provider and a service provider. Our SAML 2.0 Single sign-on integration allows users to sign in to our platform through an Identity Provider (IdP).

Installing SAML 2.0 SSO

Go to Admin/App center and install the SAML 2.0 SSO app, then click Configure. 

Configuring SAML 2.0 SSO

After installing the app go to Admin/Single sign-on/SAML 2.0 and click Configure to start setting up your options.

You will be taken to the SAML admin page, where you can enter the following details:

  1. ID Attribute - enter the SAML attribute used to identify the MATRIX account. Leave blank to use Name ID as the attribute.
  2. Match ID using -  you can select from 3 options  to match to the SAML ID attribute, which are the username, unique ID, and email.
  3. Issuer/Entity ID  - enter the IdP metadata URL.
  4. Login URL - enter the IdP Login URL.
  5. Logout URL - enter the IdP Logout URL.
  6. Logout type which can be:
    1. Standard - users are directed to the page specified in the Logout URL field after logout.
    2. Single Logout - users are logged out of all logged-in SAML services.
  7. X 509 Certificate   

You can also enable the "Auto-create" option for SAML. When enabled and we don’t find a matching user account to continue, then we create a new account. When it isn't enabled, and we don’t find a matching user account, then we will return the "User not found" error.

When you enable the feature, two new fields will be created for the first and last names.

When setting up the SAML provider app (e.g., Onelogin, Okta, etc.), you'll have to add these custom fields for the user account.

If the customer has first_name and last_name added to the custom fields(Attribute Statements), then we can get and map them to the first name and last name for the new user on the learning platform. 

Note that if these two fields are set up on both the SAML provider app and on the learning platform, the new user will be created with this first name and last name. Otherwise, we parse the email address for the new user.

When you configured the options, click Save.

Single sign-on using SAML 2.0 will be enabled. To edit the information, click on Edit. To disable the integration, click on Disable.

You will see on the visitor portal the option to log in using SAML 2.0 

Configuring SAML 2.0 SSO with ADFS

Please follow these steps to configure SAML 2.0 SSO with ADFS.

Export Token-signing certificate from ADFS

  1. To do this, you need to go to ‘Server Manager’, then to ‘AD FS Management’ (via Tools)
  2. Now, go to “Service->Certificates”.
  3. Right-click on the token-signing certificate, click “View certificate”, then go to its details tab and click “Copy to File…”. 
  4. Now, in the “Export File Format” dialog, select “Base-64 encoded X.509 (.cer)”. 
  5. Set the file name something easy to remember, like “Certificate_for_LMS_integration.cer”.

Configuring the Relying Party Trust

  1. Go back to the ADFS management tool, and go to “Relying Party Trusts";
  2. Select the “Claims aware” option in the wizard and click “Start”;
  3. Select “Enter data about the relying party manually” and click “Next";
  4. Enter a display name, for example, “LMS_SSO”; 
  5. Leave the “Configure certificate” empty and click “Next”; 
  6. Select “Enable support for the SAML 2.0 Web SSO protocol”; 
  7. Now, in the “Relying party 2.0 SSO service URL” enter:“https://yourlmsURL/saml_sso/acs", and click “Next” ;
  8. In the “Relying party trust identifier:” enter “https://yourlmsURL//saml_sso/metadata”, then click “Add”, and click “Next”;
  9. For “Choose an access control policy, select “Permit everyone” and click “Next”;
  10. In the “Ready to Add trust” dialog, you can review the settings you’ve configured and click “Next”; 
  11. In the “Finish” dialog, click “Close”.

Adding the signature certificate

  1. Double-click on the created relying party trust (LMS_SSO);
  2. Go to the “Signature” tab (NOT certificates); 
  3. Upload this certificate (you can actually extract it from the metadata of your portal): /files/262157/lms_signature_cert.cer
  4. Click “Apply”, then click “OK”.

Configuring the claim and transform rules

  1. Right-click on the created relying party trust (LMS_SSO), and click “Edit Claim Issuance Policy”;
  2. In the open dialog, click “Add Rule…”;
  3. Select “Send LDAP Attributes as Claims” and click “Next”;
  4. Enter a name for the claim rule, for example, “Email-to-email”;
  5. Set the “Attribute store:” to “Active Directory”;
  6. Now, in the “LDAP Attribute" column, select “E-Mail-Addresses”; 
  7. In the “Outgoing Claim Type” column, select “E-mail Address”;
  8. Click “Ok”.
  9. Now, let’s add the transform rule;
  10. Click “Add Rule…” again;
  11. Now, for the Claim rule template, select “Transform an Incoming Claim” and click “Next”; 
  12. Enter a suggestive rule name (for example, "e-mail-to-nameid”);
  13. For the “Incoming claim type:” select “E-mail Address”;
  14. For the “Outgoing claim type:” select “Name ID”;
  15. For the “Outgoing name ID format:” select “Email”;
  16. Select the “Pass through all claim values” option and click “Ok”.

SAML 2.0 LMS configuration

  1. Login into your LMS portal and go to Admin/Single Sign-On, and go to “SAML 2.0” and click “Configure”. 
  2. Now, fill in the following: 
  3. ID attribute: Leave blank or set it to “NameID”;
  4. Match ID using: “Email”; 
  5. Issuer/Entity ID: http://youradfsdomain.com/adfs/services/trust
  6. Login URL: https://yourADFSdomain.com/adfs/ls/
  7. Logout URL: your LMS portal (or other, if you prefer); 
  8. Logout Type: “Standard”
  9. X.509 Certificate (this is very important, so make sure you don’t do any mistakes here): 
  10. Right-click on the exported certificate from point 1 (Certificate_For_LMS_integration.cer), and open it into “Notepad” (NOT Notepad++). 
  11. Now, without changing anything, press CTRL + A (to select all), then CTRL+C (to copy the content), then paste it into the LMS X.509 Certificate. 
  12. Make sure that you change anything (not even a space), and click “Save".

Notes: 

  • Make sure that the user is having an e-mail address linked to their account (don’t confuse login credentials with e-mail address). 
  • You can check if a user has an e-mail address link to their profile via Active Directory. 
  • After you have properly configured the integration, if you will try to log in with a user that doesn’t have an e-mail address linked to their profile in Active Directory, you will receive the status code error (“Responder” instead of “Success)
  • The URLs that are used for an entity are the default ones generated by MS, but depending on your server’s settings, they might be personalized. 

    • Related Articles

    • Best practices for administrators

      Overview Here are some best practices that we recommend for administrators. Choose a short URL We recommend that you keep your URL short, ideally less than 10 characters long. For example, if your company is called "The Academy of Digital ...

    • Single sign-on

      Overview Single Sign-On (SSO) is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications. Our system currently offers Single Sign-On through Google Workspace, LDAP, Office 365, ...

    • Passwords

      Overview For security reasons every user has a User ID (3+ characters) and a Password (5+ characters). They can log in with their credentials or they can use the available SSO options if it is enabled. Add password When users sign up and create ...

    • edX

      Overview edX provides high-quality education both in-person and online. By providing thousands of courses in topics ranging from architecture, computer science, language, and medicine, edX believes in the transformative power of education. Our ...

    • Networks

      Overview You can organize businesses into a network, which is a great way for members of the businesses to collaborate, share resources, and teach/enroll in each other's courses. Each network has a description, one or more member businesses, one or ...