Single sign-on (SSO) is a time-saving and highly secure user authentication process. SSO lets users access multiple applications with a single account and sign out instantly with one click.
TalentLMS supports SSO. To provide single sign-on services for your domain, TalentLMS acts as a service provider (SP) through the SAML (Secure Assertion Markup Language) standard.
To get started, you need a valid subscription to Entra ID (Azure AD). As your identity provider (IdP), Entra handles the sign-in process and provides your users’ credentials to TalentLMS.
The information required by TalentLMS is:
- A unique identifier for each user.
- The user’s first name and last name.
- The user’s email.
When users authenticate themselves through your IdP, their account details are handled by the IdP. Any changes made to those details are synced back to TalentLMS. TalentLMS does not store any passwords.
Note: The process for [my-domain-name].talentlms.com domains is different than the one for custom domains. If you need to configure SSO for a custom domain skip A and go straight to B. |
Let’s start!
Section A. Configure SSO for [my-domain-name].talentlms.com domains with the Entra ID (Azure AD) TalentLMS app
Step 1: Configure the Entra ID (Azure AD) TalentLMS app
- Sign in to your Entra management portal. Οn the left-hand panel, click Active Directory. Click the title of the directory you want to configure SSO for. Click Enterprise Application. Click New application and, on the Add from the gallery section, type talentlms and press Enter. From the results, select TalentLMS, change the name if you wish and click Add.
- Go to the TalentLMS app page and click on Single sign-on.
On the Select a Single sign-on method dialog, select SAML mode to enable single sign-on.On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration dialog.
In the Identifier (Entity ID) field type the "Entity ID" found in TalentLMS' SSO configuration page.
In the Reply URL (Assertion Consumer Service URL) field type the Assertion Consumer Service (ACS) URL found in Talentlms' SSO configuration page.
Note: In case you wish to configure SSO for your branches, you can add the respective Reply URL for each branch. Just replace { yourdomain.talentlms.com } value with your branch's domain (ie. branch1-yourdomain.talentlms.com), in the above URL. |
In the Sign on URL field type the secure URL of your domain (i.e. starting with https://)
In the Logout Url field type the Single Logout Service URL found in TalentLMS' SSO configuration page.
Then click on the Save button.
Note: Replace yourdomain.talentlms.com, with your actual TalentLMS domain |
On SAML Signing Certificate, and Set up TalentLMS Gallery Tutorial sections write down the Entra ID (Azure AD) Identifier, Login URL, Logout URL values, and the Thumbprint value of the certificate. You will need them for configuring TalentLMS in the next step.
Step 2. Enabling SAML SSO in your TalentLMS domain
Login to your TalentLMS domain as a super-admin and go to Account & Settings → Users. If your subscription plan supports SSO Integrations (currently supported in Basic, Plus, and Premium plans), you can click on Single Sign-On (SSO) link.
On this page you should fill-in information regarding your Identity Provider (Entra ID (Azure AD)).
- SSO integration type: Choose SAML2.0 from the drop-down list
- Identity provider (IdP): type the Entra ID (Azure AD) Identifier from Entra's TalentLMS Gallery Tutorial section.
Note: Do not check the Azure AD checkbox when configuring Entra's TalentLMS App from the App gallery. |
-Certificate fingerprint: type the certificate fingerprint from Entra's SAML Signing Certificate section.
- Remote sign-in URL: fill-in the Login URL from Entra's TalentLMS Gallery Tutorial section.
The rest of the fields are used to define the variable names of the SAML protocol containing user data provided by your IdP, that is essential for TalentLMS. Avoid the use of variable names with underscores ( _ ). For example, do not configure your IdP to send First Name with the variable "given_name". Instead prefer to use "givenname".
- TargetedID: this is the username of the user account and should be a unique identifier for each user.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- First name: the first name of the user.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Last Name: the last name of the user.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- Email: the email address of the user.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Note that email is essential for TalentLMS communication, so you should make sure that all users have valid email addresses.
Note that based on your Entra ID configuration, this attribute may not be sent at all. Use the TargetedId attribute name (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name) instead, if its value is the user's email.
- Group: the group(s) name(s) that the user is a member of. This SAML variable may hold a single string value (group name) or an array of string values (group names). If a group with the same name exists in your TalentLMS domain, then the user will be assigned to that group and will get all courses of that specific group on his/her first login. The option “Add assigned groups with each login” can be selected to force group assignment on each login. Have in mind that with this option the user is not removed from groups to match those send by your IdP. Instead, only assignments to new groups are performed.
- Custom fields: You can select custom fields from TalentLMS and populate them with data derived from your IdP. Find more information in this support article.
Section B. Configuring SSO for custom TalentLMS domains configuring a custom App in Entra ID (Azure AD)
The TalentLMS App in Entra's App gallery only supports TalentLMS domains of the form http://{domain name}.talentlms.com. If you have configured a custom domain in your TalentLMS account, you need to configure a custom App in Entra ID (Azure AD).
Note: Have in mind that the whole SSO authentication process is carried out over secure HTTP. So it is mandatory to map your SSL certificate to your custom TalentLMS domain before configuring SSO described below. Contact TalentLMS support for further details on how to setup your SSL certificate for your custom TalentLMS domain. |
Step 1. Entra ID (Azure AD) configuration
Sign in to your Entra management portal. Οn the left-hand panel, click Active Directory. Click the title of the directory you want to configure SSO for. Click Enterprise Application. Click New application and then click on Non-gallery application. Type a name and click Add.
Go to the newly created custom TalentLMS app page and click on Single sign-on.
On the Select a Single sign-on method dialog, select SAML mode to enable single sign-on.
On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration dialog.
In the Identifier (Entity ID) field type the "Entity ID" found in Talentlms' SSO configuration page.
In the Reply URL (Assertion Consumer Service URL) field type the Assertion Consumer Service (ACS) URL found in Talentlms' SSO configuration page.
Note: in case you wish to configure SSO for your branches, you can add the respective Reply URL for each branch. Just replace {yourcustomdomain.com} value with your branch's custom domain (ie. branch1.yourcustomdomain.com), in the above URL. |
In the Sign on URL field type the secure URL of your domain (i.e. starting with https://)
In the Logout Url field type the Single Logout Service URL found in Talentlms' SSO configuration page.
Then click on the Save button.
Note: Replace yourcustomdomain.com, with your actual custom domain of your TalentLMS account. |
On SAML Signing Certificate, and Set up TalentLMS Gallery Tutorial sections write down the Entra AD Identifier, Login URL, Logout URL values, and the Thumbprint value of the certificate. You will need them for configuring TalentLMS in the next step.
Step 2. Enabling SAML SSO in your TalentLMS domain
Login to your TalentLMS domain as a super-admin and go to Account & Settings → Users. If your subscription plan supports SSO Integrations (currently supported in Basic, Plus and Premium plans), you can click on Single Sign-On (SSO) link.
On this page, you should fill-in information regarding your Identity Provider (Entra ID (Azure AD)).
- SSO integration type: Choose SAML2.0 from the drop-down list
- Identity provider (IdP): type the Entra ID (Azure AD) Identifier from Entra's TalentLMS Gallery Tutorial section.
- Certificate fingerprint: type the certificate fingerprint from Entra's SAML Signing Certificate section.
- Remote sign-in URL: fill-in the Login URL from Entra's TalentLMS Gallery Tutorial section.
- Remote sign-out URL: fill-in the remote Logout URL from Entra's TalentLMS Gallery Tutorial section.
The rest of the fields are used to define the variable names of the SAML protocol containing user data provided by your IdP, that is essential for TalentLMS. Avoid the use of variable names with underscores ( _ ). For example do not configure your IdP to send First Name with the variable "given_name". Instead prefer to use "givenname".
- TargetedID: this is the username of the user account and should be a unique identifier for each user.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- First name: the first name of the user.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Last Name: the last name of the user.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- Email: the email address of the user.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Note that email is essential for TalentLMS communication, so you should make sure that all users have valid email addresses.
- Group: the group(s) name(s) that the user is a member of. This SAML variable may hold a single string value (group name) or an array of string values (groups names). If a group with the same name exists in your TalentLMS domain, then the user will be assigned to that group and will get all courses of that specific group on his/her first login. The option “Add assigned groups with each login” can be selected to force group assignment on each login. Have in mind that with this option the user is not removed from groups to match those send by your IdP. Instead, only assignments to new groups are performed.
- Custom fields: You can select custom fields from TalentLMS and populate them with data derived from your IdP. Find more information in this support article.
User Account Matching
At the time of writing of this document, TalentLMS provides a passive mechanism for User Account Matching. This means that existing TalentLMS user accounts are matched against SSO user accounts based on their username.
User account matching is only possible in the case where the username provided by your IdP is exactly the same with an existing TalentLMS account's username. In this case the TalentLMS user account state will remain unchanged during SSO login process. However first name, last name, and email will be pulled from your IdP and will replace existing values.
If the username provided by your IdP, for an existing TalentLMS user, is different from his/her TalentLMS username, a new account will be created with the IdP provided username. In this case, two different accounts will exist for the same person.
To ensure that User Account Matching will perform successfully, you should configure your IdP to send the same username for existing user accounts. The SAML 2.0 attribute name that carries the username can be defined in the TargetedID field at the TalentLMS SSO configuration page.
User Profile
Even though your users are allowed to change their profile (first name, last name, email, and username) this is strongly discouraged. Changing first name, last name and email will impact only the current session. The next time a user signs-in, those values will be pulled from your IdP server. Changing the username will result in the undesirable effect of user mismatching since users are matched based on this value. Therefore, you should notify your users about how SSO affects your TalentLMS domain and avoid changing first name, last name, email and especially username from their profile.
If your users are authenticated only through SSO it is a good practice to disable profile updates for your users by changing the specific user group permissions. To disable profile updates for your learners go to the dashboard click on User Types →Learner-Type→ Generic →Profile and make sure that "Update" and "Change password" are not checked (1).