Single sign-on (SSO) is a time-saving and highly secure user authentication process. SSO lets users access multiple applications with a single account and sign out instantly with one click.
TalentLMS supports SSO. To provide single sign-on services for your domain, TalentLMS acts as a service provider (SP) through the SAML (Secure Assertion Markup Language) standard.
|Note: Single sign-on is available with the Basic, Plus and Premium subscription plans.|
To get started, you need an Okta account to handle the sign-in process and provide your users’ credentials to TalentLMS.
The information required by TalentLMS is:
- A unique identifier for each user.
- The user’s first name and last name.
- The user’s email.
When users authenticate themselves through your IdP, their account details are handled by the IdP. Any changes made to those details (i.e., first name, last name, email) are synced back to TalentLMS. TalentLMS does not store any passwords.
How to integrate Okta and TalentLMS with the TalentLMS app
Okta provides registered users with a complete step-by-step guide to configuring the TalentLMS app. Here’s how to find it:
1. Sign in to your Okta account and go to Applications > Add Application.
2. In the search field, type talentlms and, on the search results that pop up, click Add next to the TalentLMS entry.
3. In the Subdomain field, type your TalentLMS domain name (i.e., if your TalentLMS domain is mycompany.talentlms.com, type mycompany), and click Done.
4. Go to the Sign On tab, and click View Setup Instructions.
You’re directed to an Okta-TalentLMS configuration manual that’s tailored to your account (i.e., it contains the exact parameters for integrating your Okta and TalentLMS accounts).
5. Follow the instructions closely to complete your integration.
|Note: TalentLMS only supports SP-initiated SSO. To force SP-initiated SSO from the IdP side, Okta recommends that you hide the TalentLMS app and create a custom Bookmark app with the TalentLMS logo (as described here). The Bookmark app must redirect your users to the following TalentLMS URL (simply replace “[my-domain]” with your TalentLMS domain): [my-domain]/index/ssologin/service:saml|
User Account Matching
At the time of writing, TalentLMS provides a passive mechanism for user account matching. That means that existing TalentLMS user accounts are matched against SSO user accounts based on their username.
User account matching can be achieved only when the username provided by your IdP is exactly the same as the username of the existing TalentLMS account. In that case, the state of the user’s TalentLMS account remains unaltered during the single sign-on process. However, the values for the user’s first name, last name, and email are pulled from your IdP and replace the existing ones.
When the username provided by your IdP for an existing TalentLMS user is different from their TalentLMS username, a new account is created for the IdP-provided username. In that case, two different accounts are attributed to the same person.
To make sure that user account matching works properly, configure your IdP to send the same usernames for all existing TalentLMS user accounts. The name of the SAML variable that carries the username is the one you type in the TargetedID field on the TalentLMS Single Sign-On (SSO) configuration page.
Your users are allowed to change their TalentLMS profile information (first name, last name, email, and username), but that is strongly discouraged. Changing the first name, last name and email will only affect their current session.
Next time the user signs in, those values are pulled from your IdP server and replace the altered ones. Changing the username results to user mismatching, since your TalentLMS users are matched to your IdP users based on the username value.
We recommend that you notify your users how the SSO process affects your TalentLMS domain and advise them to avoid changing their first name, last name, email and, most importantly, their username on their TalentLMS profile.
When your users are authenticated through SSO only, it’s considered good practice to disable profile updates for those users. To do that, go to User Types > Learner-Type > Generic > Profile and (if checked) uncheck the Update and Change password permissions.
You did it!
Your TalentLMS domain is configured to provide SSO services. Your users may sign in to your TalentLMS domain with the username and password stored in your Okta identity provider.