SAML 2.0 SSO

SAML 2.0 SSO

Overview

SAML (Security Assertion Markup Language) is an XML-based, open-standard data format for exchanging authentication and authorization data between an identity provider and a service provider. The SAML 2.0 Single sign-on integration allows users to sign in to the platform through an Identity Provider (IdP).

Installing SAML 2.0 SSO

To use SAML 2.0 SSO, you must first install the app. To install the app, administrators:

  1. Click Admin from the primary navigation menu.
  2. Click App center from the fly-out menu.
  3. Click Install on the SAML 2.0 SSO app in the Authentication section. 
Admin, App center with the SAML 2.0 SSO app tile highlighted in the Authentication section

Configuring SAML 2.0 SSO

After installing the SAML 2.0 SSO app, you can configure the integration. To configure SAML 2.0:

  1. Click Admin from the primary navigation menu.
  2. Click Single sign-on from the fly-out menu.
  3. Click the SAML 2.0 tab.
  4. Click Configure

Admin, Single sign-on, SAML 2.0 page with the Configure button highlighted

The SAML 2.0 configuration details display: 
  1. ID Attribute: Enter the SAML attribute used to identify the CYPHER Learning account.
    1. Important Note - Leave the field blank to use NameID as the attribute.
  2. Match ID using: Select the field you will use to match to the SAML ID attribute:
    1. Email
    2. Username
    3. Unique ID
  3. Issuer/Entity ID: Enter the IdP (Identity provider) metadata URL.
  4. Login URL: Enter the IdP Login URL.
  5. Logout URL: Enter the IdP Logout URL.
  6. Logout type: Select from the following logout types:
    1. Standard: Users are directed to the page specified in the Logout URL field after logout.
    2. Single Logout: Users are logged out of all logged-in SAML services.
  7. X.509 Certificate: Enter the IdP X.509 certificate.

Admin, Single sign-on, Configure SAML 2.0 page with example values entered

If users already have an active session with the Identity Provider, they can be authenticated without being prompted to log in again (silent authentication). To enable silent authentication:
  1. Select the Silent authentication checkbox.
Admin, Single sign-on, Configure SAML 2.0 page with the Silent Authentication setting highlighted

By default, if a matching account is not found during the SSO authentication process, a User not found error will display.
If you would like the CYPHER Learning platform to auto-create new accounts if they don't currently exist on your learning platform during the authentication process: 
  1. Select the Auto create account if it doesn't exist checkbox.

If you select the Auto create account if it doesn't exist checkbox, new fields are displayed:

  1. First name field
  2. Last name field
  3. Group field 

When setting up the SAML provider app (e.g., Onelogin, Okta, etc.), you must set up the first name and last name fields for the user accounts. The screenshot below is an example of setting up the first_name and last_name fields in an Identity Provider application.

Identity Provider application example of Attribute Statements

If the customer includes first_name and last_name as custom fields (Attribute Statements) in their SAML provider app, these values can be mapped to populate the user's first name and last name in the learning platform (shown in the screenshot below).

If both fields are configured in the SAML provider app and mapped in the learning platform, the user will be created with a first name and last name. Otherwise, only the email address will be used to create the user account. 

Once you have configured all fields relevant to your SAML 2.0 integration:
  1. Click Save.

After saving your configuration settings, single sign-on using SAML 2.0 is enabled.

  1. To disable the integration, click Disable.
  2. To edit configuration settings, click Edit.
Admin, Single sign-on, SAML 2.0 page with SAML 2.0 enabled and the Disable and Edit buttons highlighted

After enabling SAML 2.0 SSO, the option displays on the Log in pop-up on the visitor portal.

To log in using SAML 2.0 SSO, users:
  1. Access the CYPHER Learning URL.
  2. Click Log in from the upper right corner.
  3. Click Log in using SAML 2.0.
  4. Log in using their SAML 2.0 credentials. 

Log in pop-up with the Log in using SAML 2.0 button highlighted

Configuring SAML 2.0 SSO with ADFS

Please follow the following steps to configure SAML 2.0 SSO with ADFS.

Export Token-signing certificate from ADFS

  1. Navigate to ‘Server Manager’, then to ‘AD FS Management’ (via Tools)
  2. Now, go to “Service->Certificates”.
  3. Right-click on the token-signing certificate, click “View certificate”, then go to its details tab and click “Copy to File…”. 
  4. Now, in the “Export File Format” dialog, select “Base-64 encoded X.509 (.cer)”. 
  5. Set the file name to something easy to identify, like “Certificate_for_LMS_integration.cer”.

Configuring the Relying Party Trust

  1. Go back to the ADFS management tool, and go to “Relying Party Trusts";
  2. Select the “Claims aware” option in the wizard and click “Start”;
  3. Select “Enter data about the relying party manually” and click “Next";
  4. Enter a display name, for example, “LMS_SSO”; 
  5. Leave the “Configure certificate” empty and click “Next”; 
  6. Select “Enable support for the SAML 2.0 Web SSO protocol”; 
  7. Now, in the “Relying party 2.0 SSO service URL” enter:“https://yourlmsURL/saml_sso/acs", and click “Next” ;
  8. In the “Relying party trust identifier:” enter “https://yourlmsURL//saml_sso/metadata”, then click “Add”, and click “Next”;
  9. For “Choose an access control policy, select “Permit everyone” and click “Next”;
  10. In the “Ready to Add trust” dialog, you can review the settings you’ve configured and click “Next”; 
  11. In the “Finish” dialog, click “Close”.

Adding the signature certificate

  1. Double-click on the created relying party trust (LMS_SSO);
  2. Go to the “Signature” tab (NOT certificates); 
  3. Upload this certificate (you can actually extract it from the metadata of your portal): /files/262157/lms_signature_cert.cer
  4. Click “Apply”, then click “OK”.

Configuring the claim and transform rules

  1. Right-click on the created relying party trust (LMS_SSO), and click “Edit Claim Issuance Policy”;
  2. In the open dialog, click “Add Rule…”;
  3. Select “Send LDAP Attributes as Claims” and click “Next”;
  4. Enter a name for the claim rule, for example, “Email-to-email”;
  5. Set the “Attribute store:” to “Active Directory”;
  6. Now, in the “LDAP Attribute" column, select “E-Mail-Addresses”; 
  7. In the “Outgoing Claim Type” column, select “E-mail Address”;
  8. Click “Ok”.
  9. Now, let’s add the transform rule;
  10. Click “Add Rule…” again;
  11. Now, for the Claim rule template, select “Transform an Incoming Claim” and click “Next”; 
  12. Enter a suggestive rule name (for example, "e-mail-to-nameid”);
  13. For the “Incoming claim type:” select “E-mail Address”;
  14. For the “Outgoing claim type:” select “Name ID”;
  15. For the “Outgoing name ID format:” select “Email”;
  16. Select the “Pass through all claim values” option and click “Ok”.

SAML 2.0 LMS configuration

  1. Login into your LMS portal and go to Admin/Single Sign-On, and go to “SAML 2.0” and click “Configure”. 
  2. Now, fill in the following: 
  3. ID attribute: Leave blank or set it to “NameID”;
  4. Match ID using: “Email”; 
  5. Issuer/Entity ID: http://youradfsdomain.com/adfs/services/trust
  6. Login URL: https://yourADFSdomain.com/adfs/ls/
  7. Logout URL: your LMS portal (or other, if you prefer); 
  8. Logout Type: “Standard”
  9. X.509 Certificate (this is very important, so make sure you don’t do any mistakes here): 
  10. Right-click on the exported certificate from point 1 (Certificate_For_LMS_integration.cer), and open it into “Notepad” (NOT Notepad++). 
  11. Now, without changing anything, press CTRL + A (to select all), then CTRL+C (to copy the content), then paste it into the LMS X.509 Certificate. 
  12. Make sure that you change anything (not even a space), and click “Save".

Notes: 

  • Make sure the user has an e-mail address linked to their account (don’t confuse login credentials with e-mail address). 
  • You can check if a user has an e-mail address link to their profile via Active Directory. 
  • After you have properly configured the integration, if you will try to log in with a user that doesn’t have an e-mail address linked to their profile in Active Directory, you will receive the status code error (“Responder” instead of “Success)
  • The URLs that are used for an entity are the default ones generated by MS, but depending on your server’s settings, they may be personalized. 

    • Related Articles

    • Single sign-on

      Overview Single sign-on (SSO) is an authentication process that allows users to access multiple applications using a single set of login credentials. The platform supports SSO through several providers, including Google Workspace, LDAP, and Microsoft ...

    • edX

      Overview edX provides high-quality education both in-person and online. By providing thousands of courses in topics ranging from architecture, computer science, language, and medicine, edX believes in the transformative power of education. Our ...

    • Best practices for administrators

      Overview The following are recommended best practices for new administrators. Choose a short URL Keep your URL short—ideally fewer than 10 characters. For example, if your company is called 'The Academy of Digital Photography,' a URL like 'ADP' is ...

    • Profile settings for administrators

      Overview Every user has a profile page that includes various information such as their basic info, their account details, their friends, photos, social media links, and more. The information that is visible depends on the user's role and the portal's ...

    • Password settings

      Overview For security reasons every user has a User ID (3+ characters) and a Password (5+ characters). Users can log in with their credentials or they can use the available SSO options if enabled. Add password When users sign up and create accounts ...