Single sign-on (SSO) is a highly secure, time-saving user authentication process. SSO lets users access multiple applications with a single account and sign out instantly with a single click.
TalentLMS supports SSO. To facilitate single sign-on on your domain, TalentLMS acts as a service provider (SP) through the SAML (Secure Assertion Markup Language) standard.
You can create an SSO integration between TalentLMS and Salesforce so that your Salesforce users can authenticate and log in to TalentLMS via SSO.
Enabling Salesforce as an Identity Provider
- Log in to Salesforce as an Administrator.
- From Setup, in the Quick Find box (1), type Identity Provider, then select Identity Provider (2).
- Click Enable Identity Provider.
- Select a certificate from the drop-down menu or create a new one.
- Save your changes.
Creating a connected app for SAML 2.0
- In Salesforce, from Setup, in the Quick Find box, look for and select App manager.
- Select New connected app.
- Fill in Connected App Name, API name, and Contact email with your information. You can name the app as you like (i.e., Training center). This is how the app will appear in the App launcher later.
- Under Web App Settings, check the Enable SAML (1) checkbox.
- Enter your TalentLMS SP metadata as per below, adding your TalentLMS portal name in place of {domain};
Start URL - https://{domain}.talentlms.com/index/ssologin/service:saml
Entity ID - {domain}.talentlms.com
ACS URL - https://{domain}.talentlms.com/simplesaml/module.php/saml/sp/saml2-acs.php/{domain}.talentlms.com - If you wish to enable Single Logout, check the Enable Single Logout (2) checkbox, and enter your TalentLMS SLO URL, as such: https://{domain}.talentlms.com/simplesaml/module.php/saml/sp/saml2-logout.php/{domain}.talentlms.com.
Select HTTP redirect as the Single Logout Binding. - Click Save at the bottom of the page.
Configuring the attribute mapping
In TalentLMS, the 4 mandatory fields for SSO are First name, Last name, Email, and Username.
Salesforce automatically creates attributes for Username and Email for the SSO-connected app, but you will need to add an attribute for First name and Last name.
- From Setup, in the Quick Find box, search for Apps, then select App Manager.
- Locate the TalentLMS SSO app you have created, and select View.
- Scroll down to Custom Attributes and click New (1).
- In the Attribute key (1) field, enter the name of the attribute, e.g. First name.
- In the Attribute value field, click Insert field (2), and a dialog box will appear.
- From this dialog box, you can select from which Salesforce field this attribute will pull data. For example, $User - First Name will pull the First Name field value into the attribute.
- After selecting the attribute value, click Insert (3).
- Then click Save.
- Add another custom attribute for Lastname, following the same method outlined above.
Note: If you need to add custom attributes to the SAML-connected app (for example, to map custom user fields), you can do so via the Custom Attributes option, as mentioned above. The Attribute key field value needs to match the name of your TalentLMS custom field name. |
Gathering Salesforce IdP info
- From Setup, in the Quick Find box, search for App Manager and click to Manage the TalentLMS SSO connected app.
- Note down the Issuer (1) in the SAML Service Provider Settings section.
- Note down the SP-Initiated Redirect Endpoint (2) value.
- Note down the Single Logout Endpoint (3) value if using.
- Click on the Idp Certificate (4) link, and then select Download certificate.
Note: If you are setting up SSO for an Experience site, ensure you take the metadata from the For Experience Cloud section instead of the Your Organization section. |
Setting up SSO in TalentLMS
- Log in to TalentLMS as an Administrator.
- Go to Account & Settings > Users (if setting up SSO for a branch, go to Branches > [branchname]), and click to enable Single Sign On.
- Enter your Salesforce metadata as per the below;
- SSO integration type - SAML 2.0
- Identity provider (IdP) - Issuer from the Gathering Salesforce IdP info section
- Certificate fingerprint - Open your downloaded certificate from the Gathering Salesforce IdP info section in your preferred text editor (Notepad for example), copy the contents of the file, then click βor paste your SAML certificate (PEM format)β in TalentLMS and paste the PEM certificate inside the textarea
- Remote sign-in URL - SP-Initiated Redirect Endpoint from the Gathering Salesforce IdP info section
- Remote sign-out URL - Single Logout Endpoint from the Gathering Salesforce IdP info section
- For the Attribute mapping, you can select whichever attributes you like for the corresponding fields in TalentLMS. The 4 mandatory attributes are Firstname, Lastname, Email, and Username. As an example, we will use the following:
TargettedID - username
First name - Firstname
Last name - Lastname
Email - email - Click Save and check configuration. This will take you to Salesforce to authenticate and then back to TalentLMS to a page listing all the mapped attributes and values and all attributes and values sent from Salesforce in the SAML response. If everything looks correct, the integration is complete.