Single sign-on (SSO) is a time-saving and highly secure user authentication process. SSO lets users access multiple applications with a single account and sign out instantly with one click.
TalentLMS supports SSO. To provide single sign-on services for your domain, TalentLMS acts as a service provider (SP) through the SAML (Secure Assertion Markup Language) standard.
|Note: Single sign-on is available with the Basic, Plus and Premium subscription plans.
To get started, you need a SAML 2.0 identity provider (IdP) to handle the sign-in process and provide your users’ credentials to TalentLMS.
The information required by TalentLMS is:
- A unique identifier for each user.
- The user’s first name and last name.
- The user’s email.
When users authenticate themselves through your IdP, their account details are handled by the IdP. Any changes made to those details are synced back to TalentLMS. TalentLMS does not store any passwords.
To configure SAML 2.0-enabled SSO you need:
- The version of your SAML identity provider (IdP). Currently, TalentLMS supports SAML 2.0.
- The URL of the SAML IdP that handles sign-in requests.
- The IdP URL where TalentLMS redirects users to sign in.
- The IdP URL where TalentLMS redirects users to sign out.
- The fingerprint of the SAML certificate used by the IdP to sign the SAML assertions sent to TalentLMS. The SAML certificate is provided by the IdP in PEM format.
|Note: TalentLMS works with RSA certificates. DSA certificates are not supported.
Step 1: Enable SAML SSO for your TalentLMS domain
1. Sign in to your TalentLMS account as Administrator, go to Home > Account & Settings > Users and click Single Sign-On (SSO).
2. SSO integration type: From the drop-down list, select SAML2.0.
3. Identity provider (IdP): Type the domain of your SAML 2.0 identity provider.
4. Certificate fingerprint: Type the SHA-1 SAML certificate fingerprint provided by your IdP. Alternatively, click Οr paste your SAML certificate (PEM format) to open the SAML certificate text area. Locate your PEM certificate in your local disk, open it in a text editor and copy the file’s contents. Paste the PEM certificate in the text area. Click Save and check your configuration for the SHA-1 certificate fingerprint to be computed.
5. Remote sign-in URL: Type the URL on your IdP’s server where TalentLMS redirects users for signing in.
6. Remote sign-out URL: Type the URL on your IdP’s server where TalentLMS redirects users for signing out.
The remaining fields are used for naming the SAML variables that contain the user data required by TalentLMS and provided by your IdP. Those are optional, and they can be left blank for most SAML IdP deployments. In that case, their default values are applied.
|Note: If you choose to add your own variables, avoid the use of underscores ( _ ) in variable names (e.g., firstname instead of first_name).
|Note: If your users are uniquely identified by another SAML variable you have to set it here. However, the default TargetedID variable suffices for this purpose.
8. First name: The user’s first name. The default value is urn:oid:22.214.171.124.
9. Last name: The user’s last name. The default value is urn:oid:126.96.36.199.
10. Email: The user’s email address. The default value is urn:oid:0.9.2342.19200300.100.1.3.
|Note: Make sure that all users have valid email addresses. The email attribute is critical for establishing communication between your SAML 2.0 IdP and TalentLMS.
11. Group: The names of the groups of which the user is a member. This variable may be assigned a single string value or an array of string values for more than one group name. When there is a group by the same name in your TalentLMS domain, the user is automatically registered in that group at their first log-in. The user is also enrolled in all the courses assigned to that group.
|Note: To force group-assignment at every log-in, check Add assigned groups with each login. Users are automatically assigned to new groups sent by your IdP at each log-in, but they’re not removed from any groups not included in that list.
12. Custom fields: You can select custom fields from TalentLMS and populate them with data derived from your IdP. Find more information in this support article.
13. Click Save and check your configuration. If everything is correct, you’ll get a success message that contains all the values pulled from your IdP.
Step 2: Configure your identity provider (IdP)
Next, you have to establish communication between your IdP and your SAML-based TalentLMS service provider (SP). Here’s all the information required to configure your IdP:
|Note: Don’t forget to replace “[my-domain-name]” with your TalentLMS domain name.
1. The Entity ID of your TalentLMS service provider is:
2. The Assertion Consumer Service (ACS) URL is:
3. The Single Logout Service URL is:
4. You can get the TalentLMS SP metadata for your domain from the following URL:
User Account Matching
At the time of writing, TalentLMS provides a passive mechanism for user account matching. That means that existing TalentLMS user accounts are matched against SSO user accounts based on their username.
User account matching can be achieved only when the username provided by your IdP is exactly the same as the username of the existing TalentLMS account. In that case, the user’s TalentLMS account remains unaltered during the SSO process. However, the values for the user’s first name, last name, and email are pulled from your IdP and replace the existing ones.
When the username provided by your IdP for an existing TalentLMS user is different from their TalentLMS username, a new account is created for the IdP-provided username. In that case, two different accounts are attributed to the same person.
To make sure that user account matching works properly, configure your IdP to send the same usernames for all existing TalentLMS user accounts. The name of the SAML variable that holds the username is the one you type in the TargetedID field on the TalentLMS Single Sign-On (SSO) configuration page (see Step 1.7).
Your users are allowed to change their TalentLMS profile information, but that is strongly discouraged. Changing the first name, last name and email only affects their current session. Next time the user signs in, those values are pulled from your IdP server and replace the altered ones. Changing the username results to user mismatching, since your TalentLMS users are matched to your IdP users based on the username value.
We recommend that you notify your users how the SSO process affects your TalentLMS domain and advise them to avoid changing their first name, last name, email and, most importantly, their username on their TalentLMS profile.
When your users are authenticated through SSO only, it’s considered good practice to disable profile updates for those users. To do that:
1. Sign in to your TalentLMS account as Administrator and go to User Types > Learner-Type > Generic > Profile.
2. If checked, uncheck the Update and Change password permissions
|Note: For more on the TalentLMS User Types, see this article.
TalentLMS only supports SP-initiated SSO. To force SP-initiated SSO from the IdP side, you have to create a custom Bookmark app in your IdP service that redirects your users to the following TalentLMS URL (simply replace “[my-domain]” with your TalentLMS domain):