TalentLMS supports Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (such as miniOrange) rather than obtaining and using a separate username and password handled by TalentLMS.
Under the SSO setup, TalentLMS can work as a Service Provider (SP) through SAML (Secure Assertion Markup Language) allowing you to provide Single Sign On (SSO) services for your domain.
|Note: Single sign-on is available with the Basic, Plus and Premium subscription plans.|
What you will need, is a miniOrange account (or the miniOrange plugin/extension installed in your CMS acting as IdP (Identity Provider). The configuration process, in this case, is slightly different than the one defined below). MiniOrange will handle the sign-in process and will eventually provide the authentication credentials of your users to TalentLMS. TalentLMS users authenticated through MiniOrange are handled from MiniOrange and any change they perform on their account (namely first name, last name, and email) are synced back to their TalentLMS account. The only user data that is necessary for TalentLMS is a unique identifier for each user, the user's first name, last name, and email. TalentLMS does not store passwords.
Step 1: Configure miniOrange Single Sign On (SSO) Settings for TalentLMS
- Login as a customer from Admin Console
- Go to Apps → Manage Apps . Click Configure Apps button.
- Click on SAML tab. Select TalentLMS and click Add App button.
- The Service Provider metadata for your domain can be obtained from the following URL: https://[your domain].talentlms.com/simplesaml/module.php/saml/sp/metadata.php/[your domain].talentlms.com?output=xhtml
- Enter the Entity ID of your TalentLMS Service Provider in the [your domain].talentlms.com format.
- Make sure the ACS URL is in the format: https://[your domain].talentlms.com/simplesaml/module.php/saml/sp/saml2-acs.php/[your domain].talentlms.com
- Select the Email ID from the Name ID dropdown
- Click on Attributes enter the Attribute Name and select the Attribute Value from the dropdown
- Likewise, you can add the rest of the Attributes
- Click on Save to store the attributes
- Go to the Add Policy and select DEFAULT from the Group Name dropdown
- Now enter the TalentLMS Policy in the Policy Name field
- Select PASSWORD from the First Factor Type dropdown
- Click on Save to configure TalentLMS.
- Click on metadata to download the certificate which will be required later.
- Hit on the Download x.509 certificate button
Step 2: Setup Single Sign On for your domain in TalentLMS
- Login to your TalentLMS domain as a super-admin and go to Account & Settings → Users. If your subscription plan supports SSO Integrations (currently supported in Basic, Plus and Premium plans), you can click on Single Sign-On (SSO) link
- Enter the SSO integration type: choose SAML2.0 from the drop-down list
- Enter the Identity Provider's URL: This is the Issuer URL (refer to IdP Entity ID or issuer in the previous image).
- copy the x.509 certificate contents you've just downloaded. Then paste them in the text area that will appear when you click on the “paste your SAML certificate (PEM format)” link. The SHA-1 Certificate fingerprint will be computed when you click on the Save button.
- Enter the Remote sign-in URL: This is the URL where TalentLMS will redirect your users for signing in (refer to SAML Login URL in the previous image).
- Enter the Remote sign-out URL: This is the URL that TalentLMS will redirect your users when they sign out (refer to SAML Logout URL in the previous image).
Step 3: Define the Attribute Names in TalentLMS
These fields define the variable names of the SAML protocol containing user data. The attribute names are defined in the miniOrange attributes section.
- Enter the TargetedID in this field. This is the SAML attribute name holding the username of the user account and should be a unique identifier for each user.
- Enter the FirstName in this field. This is the SAML attribute name holding the first name of the user.
- Enter the LastName in this field. This is the SAML attribute name holding the last name of the user.
- Enter the Email Address in this field. This is the SAML attribute name holding the email address of the user.
- Enter the Group Name in this field. This is the SAML attribute name holding the group(s) name(s) that the users is a member of. This SAML variable may hold a single string value (group name) or an array of string values (groups names). If a group with the same name exists in your TalentLMS domain, then the user will be assigned in that group and will get all courses of that specific group on his/her first login. The option “Add assigned groups with each login” can be selected to force group assignment on each login. Have in mind that with this option the user is not removed from groups to match those send by your IdP. Instead, only assignments to new groups are performed.
- Custom fields: You can select custom fields from TalentLMS and populate them with data derived from your IdP. Find more information in this support article.
- Now click on the Save button at the bottom of the page.
Step 4: Now sign in to your TalentLMS account with miniOrange IDP with SP-initiated login:
Have in mind that TalentLMS only supports an SP-initiated SSO
- Go to https://auth.miniorange.com/moas/login, enter your Email Address and click on Login. Now you will be redirected to miniOrange IDP Sign On Page.
- Enter your miniOrange login credential and click on Login. You will be automatically logged in to your TalentLMS account.
User Account Matching
At the time of writing of this document, TalentLMS provides a passive mechanism for User Account Matching. This means that existing TalentLMS user accounts are matched against SSO user accounts based on their username (TargetedID).
User account matching is only possible in the case where the username (TargetedID) provided by miniOrange is exactly the same as an existing TalentLMS account's username. In this case, the TalentLMS user account state will remain unchanged during SSO login process. However first name, last name, and email will be pulled from miniOrange and will replace existing values.
If the username (TargetedID) provided by miniOrange, for an existing TalentLMS user, is different from his/her TalentLMS username, a new account will be created with the miniOrange provided username (TargetedID). In this case, there will be two different accounts for the same person.
To ensure that User Account Matching will perform successfully, you should configure miniOrange TalentLMS App to send the same username for existing user accounts. The SAML 2.0 attribute name that carries the username is the TargetedID field with the value targetedid and can be configured to send a unique per user value from the miniOrange configuration page. Refer to Step 1 of this guide for further details.
Even though your users are allowed to change their profile (first name, last name, email, and username) this is strongly discouraged. Changing first name, last name and email will impact only the current session. The next time a user signs in, those values will be pulled from miniOrange. Changing the username will result in the undesirable effect of user mismatching since users are matched based on this value. So, you should notify your users how SSO affects your TalentLMS domain and avoid changing first name, last name, email, and especially username from their profile.
If your users are authenticated only through SSO it is a good practice to disable profile updates for your users by changing the specific user group permissions. To disable profile updates for your learners go to the dashboard click on User Types →Learner-Type→ Generic → Profile and make sure that "Update" and "Change password" are not checked (1).