Single sign-on (SSO) is a time-saving and highly secure user authentication process. SSO lets users access multiple applications with a single account and sign out with one click.
TalentLMS supports SSO. To provide SSO services for your domain, TalentLMS acts as a service provider (SP) through the SAML (Secure Assertion Markup Language) standard.
You need an ADFS 2.0 identity provider (IdP) to handle the sign-in process and provide your users’ credentials to TalentLMS.
The information TalentLMS needs is:
- A unique identifier for each user.
- The user’s first and last name.
- The user’s email.
When users authenticate themselves through your IdP, their account details are handled by the IdP. Any changes made to those details are synced back to TalentLMS. TalentLMS does not store any passwords.
To configure SSO with an ADFS
Step 1: Configure ADFS 2.0
Step 2: Add an ADFS 2.0 relying party trust
Step 3: Define the ADFS 2.0 claim rules
Step 4: Configure the authentication policies
Step 5: Enable SAML SSO in your TalentLMS domain
Let’s start!
Step 1: Configure your ADFS 2.0 IdP
Note: In the following guide, we use the “win-0sgkfmnb1t8.adatum.com” URL as the domain of your ADFS 2.0 identity provider. Please, don’t forget to replace it with the actual domain of your ADFS 2.0 IdP in all steps. |
1. Go to Start > Administrative Tools > ADFS 2.0 Management. On the multi-level nested list, right-click Service. Then click Edit Federation Service Properties.
2. Go to the General tab. The Federation Service Identifier (win-0sgkfmnb1t8.adatum.com/adfs/services/trust) is the identity provider’s URL. You’ll need this later on your TalentLMS Single Sign-On (SSO) configuration page. Note it down.
3. On the General tab, check the other values to confirm that they match the DNS settings for your server and click OK.
4. On the multi-level nested list, click Certificates. On the right-hand panel, go to the Token-signing section and right-click the certificate. Click View Certificate.
5. Go to the Details tab, and click Copy to File... to launch the Certificate Export Wizard.\
6. On the Certificate Export Wizard wizard, click Next. Select the DER encoded binary X.509 (.cer) format, and click Next again. Choose a destination folder on your local disk to save your certificate and click Finish.
7. TalentLMS requires a PEM-format certificate, so you have to convert your certificate from DER to PEM. You can use any available tool or an online application like www.sslshopper.com/ssl-converter.html.
Note: TalentLMS works with RSA certificates. DSA certificates are not supported. |
Step 2: Add an ADFS 2.0 relying party trust
First, you have to define the TalentLMS endpoints in your ADFS 2.0 IdP. You can either do that manually or import the metadata XML provided by TalentLMS. We recommend importing the metadata XML because it's hassle-free.
You can find the XML file at the following URL (simply replace “company.talentlms.com” with your TalentLMS domain):
company.talentlms.com/simplesaml/module.php/saml/sp/metadata.php/company.talentlms.com
Can't access the URL to download the metadata XML file? Copy the metadata XML file contents from the code block below, and replace “company.talentlms.com” with your TalentLMS domain name.
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="company.talentlms.com">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://company.talentlms.com/simplesaml/module.php/saml/sp/saml2-logout.php/company.talentlms.com"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://company.talentlms.com/simplesaml/module.php/saml/sp/saml2-logout.php/company.talentlms.com"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://company.talentlms.com/simplesaml/module.php/saml/sp/saml2-acs.php/company.talentlms.com" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://company.talentlms.com/simplesaml/module.php/saml/sp/saml1-acs.php/company.talentlms.com" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://company.talentlms.com/simplesaml/module.php/saml/sp/saml2-acs.php/company.talentlms.com" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://company.talentlms.com/simplesaml/module.php/saml/sp/saml1-acs.php/company.talentlms.com/artifact" index="3"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Now, let’s add a relying party trust:
1. On the multi-level nested list, under Trust Relationships, right-click Relying Party Trusts and click Add Relying Party Trust... to launch the wizard.
2. Click Start. Click Import data about the relying party from a file. Click Browse and get the TalentLMS metadata XML file from your local disk.
3. Click Next. Ignore the pop-up message and type a distinctive Display Name (e.g., Talentlms). That’s the name of your relying party trust. Click Next again.
4. Select Permit all users to access the relying party and click Next to complete the process.
5. On the Display Name column, right-click the relying party you’ve just created (e.g., TalentLms) and click Properties.
6. Go to the Advanced tab, select SHA-1 from the Secure hash algorithm drop-down list, and click OK.
Step 3: Define the ADFS 2.0 claim rules
Next, define the claim rules to establish proper communication between your ADFS 2.0 IdP and TalentLMS.
1. In the Relying Party Trusts panel, under the Display Name column, right-click the relying party trust you’ve just created (e.g., TalentLms) and click Edit Claim Rules...
2. Go to the Issuance Transform Rules tab and click Add Rules to launch the Add Transform Claim Rule Wizard.
3. In the Choose Rule Type panel, choose Send LDAP Attribute as Claims and click Next.
4. In the Configure Claim Rule panel, type the Claim rule name (e.g., Get LDAP Attributes) in the respective field.
5. From the Attribute store drop-down list, choose Active Directory. In the Mapping of LDAP attributes to outgoing claim types section, choose the following values from the respective drop-down lists:
- LDAP Attribute: E-Mail-Addresses, Outgoing Claim Type: E-mail Address
- LDAP Attribute: Given-Name, Outgoing Claim Type: Given Name
- LDAP Attribute: Surname, Outgoing Claim Type: Surname
- LDAP Attribute: User-Principal-Name, Outgoing Claim Type: UPN
Click Finish.
6. Add a second rule by following the same steps. When you reach Step 3.3, choose Transform an Incoming Claim and click Next.
7. Type the Claim rule name in the respective field (e.g., Email to Name ID) and set:
- The Incoming claim type as E-Mail Address (same as in the previous rule).
- The Outgoing claim type as Name ID.
- The Outgoing name ID format as Email.
Click Finish.
Step 4: Configure the ADFS 2.0 Authentication Policies
To make sure that single log-out (SLO) works properly, especially when multiple users log in on the same computer or device, you have to configure the authentication settings for the relying party trust you’ve just created:
1. On the multi-level nested list under Authentication Policies, click Per Relying Party Trust.
2. Right-click the relying party you’ve just created (e.g., Talentlms) and click Edit Custom Primary Authentication.
3. Go to the Primary tab, check Users are required to provide credentials each time at sign in and click OK.
Step 5: Enable SAML 2.0 SSO for your TalentLMS domain
1. Sign in to your TalentLMS account as Administrator, go to Home > Account & Settings > Users and click Single Sign-On (SSO).
The details of your ADFS 2.0 IdP required for the following steps can be retrieved from the IdP’s metadata XML file. You can get the file from the following URL (simply replace “win-0sgkfmnb1t8.adatum.com” with the domain of your ADFS 2.0 identity provider):
win-0sgkfmnb1t8.adatum.com/FederationMetadata/2007-06/FederationMetadata.xml
2. SSO integration type: From the drop-down list, select SAML2.0.
3. Identity provider (IdP): Type your ADFS 2.0 identity provider's URL (i.e., the Federation Service identifier you’ve noted down in Step 1.2):
win-0sgkfmnb1t8.adatum.com/adfs/services/trust.
4. Certificate fingerprint: Locate your PEM certificate (see Step 1) in your local disk, open it in a text editor and copy the file contents. Click Οr paste your SAML certificate (PEM format) to open the SAML certificate text area. Now paste the PEM certificate in the text area. Click Save and check your configuration for the SHA-1 certificate fingerprint to be computed.
Note: TalentLMS works with RSA certificates. DSA certificates are not supported. |
5. Remote sign-in URL: The URL on your IdP’s server where TalentLMS redirects users for signing in. Type:
win-0sgkfmnb1t8.adatum.com/adfs/ls.
6. Remote sign-out URL: The URL on your IdP’s server where TalentLMS redirects users for signing out. Type:
win-0sgkfmnb1t8.adatum.com/adfs/ls/?wa=wsignout1.0.
The remaining fields are used for naming the SAML variables that contain the user data required by TalentLMS and provided by your IdP.
Note: Avoid the use of underscores ( _ ) in variable names (e.g., givenname instead of given_name). |
7. Username: The username for each user account that acts as the user’s unique identifier (i.e., the LDAP attribute User-Principal-Name as defined in the claim rules in Step 3.5). Type:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
8. First name: The user’s first name (i.e., the LDAP attribute Given-Name as defined in the claim rules in Step 3.5). Type:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
9. Last name: The user’s last name (i.e., the LDAP attribute Surname as defined in the claim rules in Step 3.5). Type:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
10. Email: The user’s email address (i.e., the LDAP attribute E-Mail-Addresses as defined in the claim rules in Step 3.5). Type:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Note: Make sure that all users have valid email addresses. The email attribute is critical for establishing communication between your ADFS 2.0 IdP and TalentLMS. |
11. Group: The names of the groups of which the user is a member. This variable (i.e., http://schemas.xmlsoap.org/claims/Group) may be assigned a single string value or an array of string values for more than one group name. When there is a group by the same name in your TalentLMS domain, the user is automatically added to that group at their first log-in. The user is also enrolled in all the courses assigned to that group.
Note: To force group-registration at every log-in, check Add assigned groups with each login.Users are automatically assigned to new groups sent by your IdP at each log-in, but they’re not removed from any groups not included in that list. |
12. Custom fields: You can select custom fields from TalentLMS and populate them with data derived from your IdP. Find more information in this support article.
13. Click Save and check your configuration. If everything is correct, you’ll get a success message that contains all the values pulled from your IdP.
User Account Matching
At the time of writing, TalentLMS provides a passive mechanism for user account matching. That means that existing TalentLMS user accounts are matched against SSO user accounts based on their username.
User account matching can be achieved only when the username provided by your IdP is exactly the same as the username of the existing TalentLMS account. In that case, the user’s TalentLMS account remains unaltered during the SSO process. However, the values for the user’s first name, last name, and email are pulled from your IdP and replace the existing ones.
When the username provided by your IdP for an existing TalentLMS user is different from their TalentLMS username, a new account is created for the IdP-provided username. In that case, two different accounts are attributed to the same person.
To make sure that user account matching works properly, configure your IdP to send the same usernames for all existing TalentLMS user accounts. The name of the SAML variable that holds the username is the one you type in the Username field on the TalentLMS Single Sign-On (SSO) configuration page (see Step 5.7).
User profile
Your users are allowed to change their TalentLMS profile information, but that is strongly discouraged. Changing the first name, last name and email only affects their current session. Next time the user signs in, those values are pulled from your IdP server and replace the altered ones. Changing the username results to user mismatching, since your TalentLMS users are matched to your IdP users based on the username value.
We recommend that you notify your users how the SSO process affects your TalentLMS domain and advise them to avoid changing their first name, last name, email and, most importantly, their username on their TalentLMS profile.
When your users are authenticated through SSO only, it’s considered good practice to disable profile updates for those users. To do that:
1. Sign in to your TalentLMS account as Administrator and go to Account & Settings > User Types > Learner-Type > Generic > Profile.
2. If checked, uncheck the Update and Reset password permissions.
Note: For more on the TalentLMS User Types, see this article. |