Single sign-on (SSO) is a time-saving and highly secure user authentication process. SSO lets users access multiple applications with a single account and sign out instantly with one click.
TalentLMS supports SSO. To provide single sign-on services for your domain, TalentLMS acts as a service provider (SP) through the SAML (Secure Assertion Markup Language) standard.
To get started, you need a Google Workspace to handle the sign-in process and provide your users’ credentials to TalentLMS.
The information required by TalentLMS is:
- A unique identifier for each user.
- The user’s first name and last name.
- The user’s email.
When users authenticate themselves through your IdP, their account details are handled by the IdP. Any changes made to those details are synced back to TalentLMS. TalentLMS does not store any passwords.
Note: TalentLMS only supports SP-initiated SSO. To force SP-initiated SSO from the IdP side, you have to create a custom Bookmark app in Google Workspace that redirects your users to the following TalentLMS URL (simply replace “[my-domain]” with your TalentLMS domain): |
[my-domain]/index/ssologin/service:saml
Step 1: Configure the Google Workspace native TalentLMS App (for TalentLMS domains)
1. Sign in to your Google Workspace account and go to the Admin Console at https://admin.google.com.
2. Click Apps.
3. Click Web and mobile apps
4. Click the Add app button and select Search for apps.
5. Type Talent LMS in the Enter app name field and click Select next to the Talent LMS app listing.
6. Under Option 2, note down the SSO URL and Entity ID values, and download the SAML 2.0 Certificate to use when configuring your TalentLMS domain.
7. Click Continue.
8. On the Service Provider Details dialog box, edit the ACS URL, Entity ID, and Start URL values by replacing “{subdomain}” with your TalentLMS domain name.
9. Click Continue.
10. On the Attribute Mapping page, select a Category and User field for each predefined attribute (i.e., Email, FirstName, LastName). You can also add more attributes that you wish to map to TalentLMS custom fields, see this article for more information How to populate custom fields via SSO
Note: Υou must use the exact same names in the respective TalentLMS configuration. |
11. Click Finish.
12. Your new TalentLMS app is labeled as OFF for everyone. To turn it on, click the OFF for everyone text under User access and select your preference, then click Save.
Alternative Step 1: Create a SAML App on Google Workspace(for custom domains)
1. Sign in to your Google Workspace account and go to the Admin Console at https://admin.google.com.
2. Click Apps.
3. Click Web and mobile apps and select Add apps.
4. Click the Add custom SAML app option to create a new app.
5. Fill in your new custom app’s App name, Description and App icon and click Continue.
6. From the Option 2 section, note down the SSO URL and Entity ID values, and download the SAML 2.0 Certificate to use when configuring your TalentLMS domain.
7. Click Continue.
8. Sign in to your TalentLMS account as Administrator and go to Home > Account & Settings > Users.
9. Click Single Sign-on (SSO), and, from the Identity provider (IdP) configuration section, note down the Assertion Consumer Service (ACS) URL and Entity ID values.
10. Return to your Google Workspace Admin Console and, on the Service Provider Details dialog box, paste the ACS URL and Entity ID in the respective fields.
11. In the Start URL field, type: https://[your-domain-name]/index/ssologin/service:saml.
12. Uncheck the Sign Response checkbox (if checked).
13. From the Name ID drop-down lists, choose Basic Information and Primary Email.
14. From the Name ID Format drop-down list, choose Unspecified.
15. Click Continue.
16. On the Attribute Mapping dialog box, click Add new mapping to map the values of your users’ accounts to the specified SAML attributes. For example (i.e., see image below):
- Type Email in the blank field and choose Basic Information and Primary Email from the respective drop-down lists.
- Click Add new mapping, type FirstName in the blank field and choose Basic Information and First Name from the respective drop-down lists.
- Click Add new mapping, type LastName in the blank field and choose Basic Information and Last Name from the respective drop-down lists.
You can also add more attributes which you wish to map to TalentLMS custom fields, see this article for more details How to populate custom fields via SSO
17. Click Finish.
Note: The illustrated example is only a suggestion. You can name your SAML attributes as you prefer. However, you must use the exact same names in the respective TalentLMS configuration. |
18. Your new TalentLMS app is labeled as OFF for everyone. To turn it on, click the OFF for everyone text under User access and select your preference, then click Save.
Step 2: Enable SAML SSO for your TalentLMS domain
1. Return to your TalentLMS account as Administrator, go to Home > Account & Settings > Users and click Single Sign-On (SSO).
2. SSO integration type: From the drop-down list, select SAML2.0.
3. Identity provider (IdP): Paste the Entity ID from the Google IdP Information dialog box (Step 1.6).
4. Certificate fingerprint: Locate your PEM certificate (see Step 1.6) in your local disk, open it in a text editor and copy the file contents. Click Οr paste your SAML certificate (PEM format) to open the SAML certificate text area. Now paste the PEM certificate in the text area. Click Save and check your configuration for the SHA-1 certificate fingerprint to be computed.
5. Remote sign-in URL: The URL on your IdP’s server where TalentLMS redirects users for signing in. Paste the SSO URL from the Google IdP Information dialog box (Step 1.6).
6. Remote sign-out URL: The URL on your IdP’s server where TalentLMS redirects users for signing out. You can leave this field blank.
The remaining fields are used for naming the SAML variables that contain the user data required by TalentLMS and provided by your IdP.
7. TargetedID: The username for each user account that acts as the user’s unique identifier. For this SAML app you must use the user’s email address. Type: Email.
8. First name: The user’s first name. Type: FirstName.
9. Last Name: The user’s last name. Type: LastName.
10. Email: The user’s email address. Type: Email.
Note: Make sure that all users have valid email addresses. The email attribute is critical for establishing communication between your Google Workspace IdP and TalentLMS |
11. Group: The names of the groups of which the user is a member. This variable may be assigned a single string value or an array of string values for more than one group name. When there is a group by the same name in your TalentLMS domain, the user is automatically registered in that group at their first log-in. The user is also enrolled in all the courses assigned to that group.
Note: To force group-assignment at every log-in, check Add assigned groups with each login. Users are automatically assigned to new groups sent by your IdP at each log-in, but they’re not removed from any groups not included in that list. |
12. Custom fields: You can select custom fields from TalentLMS and populate them with data derived from your IdP. Find more information in this support article.
13. Click Save and check your configuration. If everything is correct, you’ll get a success message that contains all the values pulled from your IdP.
How to create a Bookmark App to force SP-initiated SSO
1. Sign in to your Google Workspace account and go to the Admin Console at https://admin.google.com.
2. Click Apps and select Web and mobile apps.
3. Click Add apps.
4. Click the Add custom SAML app option to create a new app.
5. Fill in your new custom app’s App name, Description and App icon and click Continue.
6. From the Google IdP Information dialog box, click Continue (you do not need this bookmark app’s IdP metadata, do not use this information in your TalentLMS SSO form).
7. On the Service Provider Details dialog box, type the following values in the respective fields:
- ACS URL: https://[your-domain-name].talentlms.com/index/ssologin/service:saml
- Entity ID: dummyentity-[your-domain-name].talentlms.com
- Start URL: https://[your-domain-name].talentlms.com/index/ssologin/service:saml
Note: If you are using your custom domain for the SSO, please enter your custom domain into the Service Provider Details URL's instead of your TalentLMS domain. |
8. On the Attribute Mapping dialog box, click Finish.
Note: You don't have to map any attributes, since you’ve already mapped them in the TalentLMS SSO app. |
9. Your new TalentLMS app is labeled as OFF for everyone. To turn it on, click the OFF for everyone text under User access and select your preference, then click Save.
From now on, when users click the TalentLMS Bookmark App they’re redirected to the URL defined in the ACS URL field which forces an SP-initiated SSO. Then, TalentLMS sends a SAML request to the TalentLMS App for providing SSO to your users.
User Account Matching
At the time of writing, TalentLMS provides a passive mechanism for user account matching. That means that existing TalentLMS user accounts are matched against SSO user accounts based on their username.
User account matching can be achieved only when the username provided by your IdP is exactly the same as the username of the existing TalentLMS account. In that case, the user’s TalentLMS account remains unaltered during the SSO process. However, the values for the user’s first name, last name, and email are pulled from your IdP and replace the existing ones.
When the username provided by your IdP for an existing TalentLMS user is different from their TalentLMS username, a new account is created for the IdP-provided username. In that case, two different accounts are attributed to the same person.
To make sure that user account matching works properly, configure your IdP to send the same usernames for all existing TalentLMS user accounts. The name of the SAML variable that holds the username is the one you type in the TargetedID field on the TalentLMS Single Sign-On (SSO) configuration page (see Step 2.7).
User Profile
Your users are allowed to change their TalentLMS profile information, but that is strongly discouraged. Changing the first name, last name and email only affects their current session. Next time the user signs in, those values are pulled from your IdP server and replace the altered ones. Changing the username results to user mismatching, since your TalentLMS users are matched to your IdP users based on the username value.
We recommend that you notify your users how the SSO process affects your TalentLMS domain and advise them to avoid changing their first name, last name, email and, most importantly, their username on their TalentLMS profile.
When your users are authenticated through SSO only, it’s considered good practice to disable profile updates for those users. To do that:
1. Sign in to your TalentLMS account as Administrator and go to User Types > Learner-Type > Generic > Profile.
2. If checked, uncheck the Update and Change password permissions.
Note: For more on the TalentLMS User Types, see this article. |