How to configure SSO with OneLogin in the Legacy interface

Single sign-on (SSO) is a time-saving and highly secure user authentication process. SSO lets users access multiple applications with a single account and sign out instantly with one click.

TalentLMS supports SSO. To provide single sign-on services for your domain, TalentLMS acts as a service provider (SP) through the SAML (Secure Assertion Markup Language) standard.

To get started, you need an OneLogin account to handle the sign-in process and provide your users’ credentials to TalentLMS.

The information required by TalentLMS is:

A unique identifier for each user.
The user’s first name and last name.
The user’s email.

When users authenticate themselves through OneLogin, their account details are handled by OneLogin. Any changes made to those details are synced back to TalentLMS. TalentLMS does not store any passwords.

By default, OneLogin uses email as a unique identifier for each user. Alternatively, you can choose to use the Active Directory or LDAP username, provided that your OneLogin users are retrieved from your Active Directory or LDAP server.

Step 1: Configure the OneLogin TalentLMS app

1. Sign in to your OneLogin account and, from the top navigation bar, go to Apps > Add Apps. In the search field, type talentlms and press Enter. On the search results, click TalentLMS.

Image: https://talentlms.zendesk.com/hc/article_attachments/360021549294/Rectangle_2.2__2_.png

2. On the Add TalentLMS page, click Save.

Image: https://talentlms.zendesk.com/hc/article_attachments/360022483473/Rectangle_2.1.png

3. Go to the Configuration tab.

4.In the Subdomain field, type your full TalentLMS domain (i.e., [my-domain-name].talentlms.com) and click Save

5. Go to the SSO tab.

6. Note down the Issuer URL, the SAML 2.0 Endpoint, and the SLO Endpoint. Right below the X.509 certificate field, click View Details. From the certificate page, note down the contents of the X.509 Certificate text area. Click the back symbol to return to the TalentLMS app page.

Image: https://talentlms.zendesk.com/hc/article_attachments/360022483533/Rectangle_2.3__2_.png

Rectangle_2.3__4_.png
Rectangle_2.3__5_.png
Image: https://talentlms.zendesk.com/hc/article_attachments/360021549354/Rectangle_2.3__3_.png 7. Go to the Parameters tab.

8. In the Credentials are section, click Configured by admin.

9. In the default parameters area, click the respective entry in the Value column to define the user data OneLogin sends to TalentLMS with each attribute. We strongly recommend that you use the default values.
Rectangle_2.3__1_.png

Note: Be very careful with the Name Identifier (Subject) and Targeted ID attributes as they are your users’ unique identifiers and must not change. When your OneLogin account is connected to your Active Directory or LDAP server, it’s strongly advised to select the Username value for both fields. Don’t forget that when a user attempts to sign in to your TalentLMS domain through OneLogin, a new TalentLMS account is created based on the Targeted ID value. When that value changes for a user (e.g., the value is the user’s email which, at some point, they update on their profile), a new TalentLMS account, based on the new Targeted ID, is created upon their next sign-in. In that case, two or more different accounts might be attributed to the same person. To avoid that, always choose a value that’s unique to each user for the Name Identifier (Subject) and Targeted ID attributes.

Step 2: Enable SAML SSO for your TalentLMS domain

1. Log in to your TalentLMS account as Administrator and go to Home > Account & Settings.

2. Go to the Users tab and click Single Sign-On (SSO).

3. SSO integration type: From the drop-down list, select SAML2.0.

4. Identity provider (IdP): Type your OneLogin identity provider's URL (i.e., the Issuer URL you’ve noted down in Step 1.6).

5. Certificate fingerprint: The X.509 certificate you’ve noted down in Step 1.6. Click Or paste your SAML certificate (PEM format) to open the SAML certificate text area. Paste the X.509certificate content in the text area.

Rectangle_2.3__6_.png
6. Remote sign-in URL: The URL on your IdP’s server where TalentLMS redirects users for signing in. Type the SAML 2.0 Endpoint you’ve noted down in Step 1.6.

7. Remote sign-out URL: The URL on your IdP’s server where TalentLMS redirects users for signing out. Type the SLO Endpoint you’ve noted down in Step 1.6.

The remaining fields are used for naming the variables of the SAML protocol that contain the user data required by TalentLMS and provided by your OneLogin.

8. TargetedID: The username for each user account that acts as the user’s unique identifier. Type: targetedid.

9.First name: The user’s first name. Type: User.FirstName.

10. Last name: The user’s last name. Type: User.LastName.

11. Email: The user’s email. Type: User.Email.

12. Group: The names of the groups of which the user is a member. This variable may be assigned a single string value or an array of string values for more than one group name. When there is a group by the same name in your TalentLMS domain, the user is automatically registered in that group at their first log-in. The user is also enrolled in all the courses assigned to that group.

13. Custom fields: You can select custom fields from TalentLMS and populate them with data derived from your IdP. Find more information in this support article.

Note: To force group-assignment at every log-in, check Add assigned groups with each login. Users are automatically assigned to new groups sent by your IdP at each log-in, but they’re not removed from any groups not included in that list.

14. Click Save and check your configuration. If everything is correct, you’ll get a success message that contains all the values pulled from your IdP.

Image: https://talentlms.zendesk.com/hc/article_attachments/360022483573/Rectangle_2.3__8_.png

User Account Matching

At the time of writing, TalentLMS provides a passive mechanism for user account matching. That means that existing TalentLMS user accounts are matched against SSO user accounts based on their username.

User account matching can be achieved only when the username provided by your IdP is exactly the same as the username of the existing TalentLMS account. In that case, the user’s TalentLMS account remains unaltered during the SSO process. However, the values for the user’s first name, last name, and email are pulled from your IdP and replace the existing ones.

When the username provided by your IdP for an existing TalentLMS user is different from their TalentLMS username, a new account is created for the IdP-provided username. In that case, two different accounts are attributed to the same person.

To make sure that user account matching works properly, configure your IdP to send the same usernames for all existing TalentLMS user accounts. The name of the SAML variable that holds the username is the one you type in the TargetedID field on the TalentLMS Single Sign-On (SSO) configuration page (see Step 2.7).

User Profile

Your users are allowed to change their TalentLMS profile information, but that is strongly discouraged. Changing the first name, last name and email only affects their current session. Next time the user signs in, those values are pulled from your IdP server and replace the altered ones. Changing the username results to user mismatching, since your TalentLMS users are matched to your IdP users based on the username value.

We recommend that you notify your users how the SSO process affects your TalentLMS domain and advise them to avoid changing their first name, last name, email and, most importantly, their username on their TalentLMS profile.

When your users are authenticated through SSO only, it’s considered good practice to disable profile updates for those users. To do that:

1. Sign in to your TalentLMS account as Administrator and go to User Types > Learner-Type > Generic > Profile.

2. If checked, uncheck the Update and Change password (1) permissions.

Note: For more on the TalentLMS User Types, see this article.