How to configure SSO with Google Apps

TalentLMS supports Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (such as Google) rather than obtaining and using a separate username and password handled by TalentLMS.

Under the SSO setup, TalentLMS can work as a Service Provider (SP) through SAML (Secure Assertion Markup Language) allowing you to provide Single Sign On (SSO) services for your domain.

The SSO SAML Integration is available in Basic, Plus and Premium subscription plans.

What you will need, is an account in Google Apps for work which will handle the sign-in process and will eventually provide the authentication credentials of your users to TalentLMS. TalentLMS users authenticated through Google are handled from Google and any change they perform on their account (namely first name, last name, and email) are synced back to their TalentLMS account. The only user data that is necessary for TalentLMS is a unique identifier for each user (User's email bu default), user's first name, last name and email. TalentLMS does not store passwords.

Have in mind that TalentLMS only supports an SP-initiated SSO, meaning that SSO authentication process must start on SP (Talentlms). Unfortunately Google, as opposed to other IdPs doesn't provide a mechanism to support SP-initiated SSO. A possible workaround is to create an additional app that points to https://{your-domain}.talentlms.com/index/ssologin/service:saml and by clicking on that App to force SP-initiated SSO. Both apps (the one that forces SP-initatiated SSO and the one described bellow) should be active and visible to your users. More details on how to configure a Bookmark app that will force SP-initiated SSO can be found at the end of this guide.

Step 1. Configure a SAML App on Google

  • As an administrator on your Google account go to https://admin.google.com/ and click on Apps→SAML Apps. On the apps listing page click on the plus sign at the bottom right to create a new SAML App. On the pop-up modal, click on the "Setup my own custom app" at the bottom


  • In the next page mark down the SSO URL, Entity ID values and download the Certificate because you will need them to configure your Talentlms domain.

  • In the next page give a name and a description to your SAML app and upload a logo image

  • In the next page you have to insert the Service Provider (Talentlms) details. You will need to get from Talentlms the ACS URL, and Entity ID. Go to your Talentlms domain and navigate to Account&Settings→Users→SSO. At the bottom of the page you will see those values. Copy and paste them in this page. On Start URL field type the following value:
    https://{your-domain}.talentlms.com/index/ssologin/service:saml where {your-domain} is your Talentlms domain name.
    Uncheck Signed Response checkbox.
    Choose Basic information  and Primary Email on Name ID option and finally set Name ID Format to UNSPECIFIED.
 
  • In the next page you have to configure the mappint of user's account values to SAML attributes. The image bellow is just a suggestion. You can name your SAML attributes as you like. However you should use the exact same names when configuring Talentlms

  • Once the app is configured, it will not work until you turn it on for your domain. You can turn in on for everyone in your organization or for specific organizations.

Step 2. Enabling SAML SSO in your TalentLMS domain

Login to your TalentLMS domain as a super-admin and go to Account & SettingsUsers. If your subscription plan supports SSO Integrations (currently supported in Basic, Plus and Premium plans), you can click on Single Sign-On (SSO) link.

In this page you should fill-in information regarding the Talentlms SAML App on Google.

  • SSO integration type: choose SAML2.0 from the drop-down list

  • Identity provider (IdP): copy and paste the Entity ID vale from Step 2 of App's configuration page.
     

  • Certificate fingerprint: Download and open the certificate from  Step 2 of App's configuration page and open it with your favourite text editor.  Copy the contents and paste them in the text area that will appear when you click on the “paste your SAML certificate (PEM format)” link. The SHA-1 Certificate fingerprint will be computed when you click on the Save button.

  • Remote sign-in URL: copy and paste the SSO URL value from Step 2 of App's configuration page.
     

  • Remote sign-out URL: This field can be left blank

The rest of the fields are used to define the variable names of the SAML protocol containing user data provided by Google, that is essential for TalentLMS.

  • TargetedID: this is the username of the user account and should be a unique identifier for each user. For this App you will have to use email
    Type Email in this field.

  • First name: the first name of the user.
    Type FirstName in this field. 

  • Last Name: the last name of the user.
    Type LastName in this field.

  • Email: the email address of the user.
    Type Email in this field.

  • Group: the group(s) name(s) that the user is member of. This SAML variable may hold a single string value (group name) or an array of string values (groups names). If group with the same name exists in your Talentlms domain, then the user will be assigned in that group and will get all courses of that specific group on his/her first login. The option “Add assigned groups with each login” can be selected to force group assignment on each login. Have in mind that with this option the user is not removed from groups to match those send by your IdP. Instead, only assignments to new groups are performed.

    Now click on the Save button at the bottom of the page. Your configuration page should look like this: