Single sign-on (SSO) is a time-saving and highly secure user authentication process. SSO lets users access multiple applications with a single account and sign out instantly with one click.
TalentLMS supports SSO. To provide single sign-on services for your domain, TalentLMS acts as a service provider (SP).
|Note: Single sign-on is available with the Basic, Plus and Premium subscription plans.|
To get started, you need an OpenID Connect Identity Provider (IdP) to handle the sign-in process and provide your users’ credentials to TalentLMS.
The information required by TalentLMS is:
- A unique identifier for each user
- The user’s first name and last name
- The user’s email
When users authenticate themselves through your IdP, their account details are handled by the IdP. Any changes made to those details are synced back to TalentLMS. TalentLMS does not store any passwords.
To configure your OpenID Connect SSO you need:
- The client ID
- The client secret
- The OpenID Connect endpoint URLs
Step 1: Enable OpenID Connect SSO on your TalentLMS domain
1. Sign in to your TalentLMS account as Administrator, go to Home > Account & Settings > Users and click Single Sign-On (SSO).
2. SSO integration type: From the drop-down list, choose OpenID Connect.
3. Client ID: The OpenID Connect client ID provided by your IdP.
4. Client secret: The OpenID Connect client secret provided by your IdP.
5. Token endpoint URL: The OpenID Connect token endpoint URL provided by your IdP.
6. User info endpoint URL: The OpenID Connect User info endpoint URL provided by your IdP that holds user profile data (username, name, email, etc.).
7. Authorization endpoint URL: The OpenID Connect authorization endpoint URL where TalentLMS issues authentication requests.
The remaining fields are used for the OpenID Connect attributes that contain the user data required by TalentLMS and provided by your IdP.
8. Username: The username of each user account that acts as the user’s unique identifier. The default value is uid.
9. First name: The user’s first name. The default value is given_name.
10. Last Name: The user’s last name. The default value is family_name.
11. Email: The user’s email address. The default value is email.
|Note: Make sure that all users have valid email addresses. The email attribute is critical for establishing communication between your OpenID Connect IdP and TalentLMS.|
12. Group: The names of the groups of which the user is a member. This variable may be assigned a single string value or an array of string values for more than one group name. When there is a group by the same name in your TalentLMS domain, the user is automatically registered in that group at their first log-in. The user is also enrolled in all the courses assigned to that group.
|Note: To force group-assignment at every log-in, check Add assigned groups with each login. Users are automatically assigned to new groups sent by your IdP at each log-in, but they’re not removed from any groups not included in that list.|
13. Click Save and check your configuration. If everything is correct, you’ll get a success message that contains all the values pulled from your IdP.
Step 2: Configure your OpenID Connect identity provider (IdP)
Next, you have to ensure that your OpenID Connect identity provider (IdP) communicates properly with your TalentLMS service provider (SP).
Here’s what you need for configuring your IdP:
- Authorized redirect URL: https://[your-domain].talentlms.com/simplesaml/module.php/openidconnect/resume.php
- Post logout redirect URL: https://[your-domain].talentlms.com/index/logout. That’s optional, and it’s the TalentLMS endpoint where users are redirected after a successful log-out from your IdP.
To demonstrate the full process, let’s configure Google’s OAuth 2.0 APIs as an OpenID Connect identity provider.
Example: SSO with Google’s OAuth 2.0 as an OpenID Connect IdP
Google's OAuth 2.0 APIs can be used for both authentication and authorization. Google's OAuth 2.0 implementation for authentication conforms to the OpenID Connect specification and is OpenID certified. Thus, it can be used to provide SSO services for TalentLMS clients.
For TalentLMS to communicate with Google's authentication system, you have to set up a new project in the Google API console to obtain OAuth 2.0 credentials (i.e., Client id and Client secret) and the Authorized redirect URL.
1. Go to the Google API console (https://console.developers.google.com/) and click Select a project.
2. On the Select a project dialog box click New project.
3. Name your new project and click Create.
4. On the left-hand panel, click Credentials.
5. Click Create credentials and, from the drop-down list, choose OAuth client ID.
6. Click Configure consent screen to provide the information displayed to users whenever they try to log in to TalentLMS through Google (i.e., whenever TalentLMS requests access to their private data).
8. Click Save to proceed.
9. On the Application type checklist, check Web application and click Create.
10. In the Name field, type the name of your OAuth client ID.
11. In the Authorized redirect URIs field, type the URL provided in the TalentLMS SSO configuration page: https://[your-domain].talentlms.com/simplesaml/module.php/openidconnect/resume.php.
12. Click Create to proceed.
13. From the OAuth client dialog box that pops up, note down the client ID and client secret.
|Note: The OpenID Connect endpoints for the TalentLMS-OpenID Connect SSO configuration form can be found in the following document: https://accounts.google.com/.well-known/openid-configuration.|
14. Sign in to your TalentLMS account as Administrator and go to Home > Account & Settings.
15. Go to the Users tab and click Single Sign-On (SSO).
16. Token endpoint:https://www.googleapis.com/oauth2/v4/token
17. User info endpoint:https://www.googleapis.com/oauth2/v3/userinfo
18. Authorization endpoint:https://accounts.google.com/o/oauth2/v2/auth
The rest of the fields can be left blank. In that case, their default values are applied:
20. First name:given_name
21. Last name:family_name
24. Click Save and check your configuration. If everything is correct, you’ll get a success message that contains all the values pulled from your IdP.
|Note: To further ensure that your domain is accessed only from your organization's accounts, you can restrict user registration and access through OpenID Connect to specific domains. That can be done either for your main portal or a single branch (i.e., if you have configured OpenID Connect-enabled SSO on this branch):|
- Go to Home > Account & Settings > Basic settings and, in the Security section, check Restrict registration to specific domains and type your preferred domains in the respective field (separated by commas).
- Go to Home > Branches, click a branch and, in the Users section, check Restrict registration to specific domains and type your preferred domains in the respective field (separated by commas).
User Account Matching
At the time of writing, TalentLMS provides a passive mechanism for user account matching. That means that existing TalentLMS user accounts are matched against SSO user accounts based on their username.
User account matching can be achieved only when the username provided by your IdP is exactly the same as the username of the existing TalentLMS account. In that case, the user’s TalentLMS account remains unaltered during the SSO process. However, the values for the user’s first name, last name, and email are pulled from your IdP and replace the existing ones.
When the username provided by your IdP for an existing TalentLMS user is different from their TalentLMS username, a new account is created for the IdP-provided username. In that case, two different accounts are attributed to the same person.
To make sure that user account matching works properly, configure your IdP to send the same usernames for all existing TalentLMS user accounts. The name of the SAML variable that holds the username is the one you type in the Username field on the TalentLMS Single Sign-On (SSO) configuration page (see Step 1.8).
Your users are allowed to change their TalentLMS profile information, but that is strongly discouraged. Changing the first name, last name and email only affects their current session. Next time the user signs in, those values are pulled from your IdP server and replace the altered ones. Changing the username results to user mismatching, since your TalentLMS users are matched to your IdP users based on the username value.
We recommend that you notify your users how the SSO process affects your TalentLMS domain and advise them to avoid changing their first name, last name, email and, most importantly, their username on their TalentLMS profile.
When your users are authenticated through SSO only, it’s considered good practice to disable profile updates for those users. To do that:
- Sign in to your TalentLMS account as Administrator and go to User Types > Learner-Type > Generic > Profile.
- If checked, uncheck the Update and Change password permissions.
|Note: For more on the TalentLMS User Types, see this article.|
TalentLMS only supports SP-initiated SSO. To force IdP-initiated SSO, you have to create a custom bookmark app through your IdP and use it to redirect your users to your TalentLMS URL: [your-domain]/index/ssologin/service:oidc.
You did it!
Your TalentLMS domain is configured to provide SSO services. Your users may sign in to your TalentLMS domain with the username and password stored in your OpenID Connect identity provider.