How to configure SSO with Google Apps

TalentLMS supports Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (such as Google) rather than obtaining and using a separate username and password handled by TalentLMS.

Under the SSO setup, TalentLMS can work as a Service Provider (SP) through SAML (Secure Assertion Markup Language) allowing you to provide Single Sign On (SSO) services for your domain.

The SSO SAML Integration is available in Basic, Plus and Premium subscription plans.

What you will need, is an account in Google Apps for work which will handle the sign-in process and will eventually provide the authentication credentials of your users to TalentLMS. TalentLMS users authenticated through Google are handled from Google and any change they perform on their account (namely first name, last name, and email) are synced back to their TalentLMS account. The only user data that is necessary for TalentLMS is a unique identifier for each user (User's email bu default), user's first name, last name and email. TalentLMS does not store passwords.

Have in mind that TalentLMS only supports an SP-initiated SSO, meaning that SSO authentication process must start on SP (Talentlms). Unfortunately Google, as opposed to other IdPs doesn't provide a mechanism to support SP-initiated SSO. A possible workaround is to create an additional app that points to https://{your-domain}.talentlms.com/index/ssologin/service:saml and by clicking on that App to force SP-initiated SSO. Both apps (the one that forces SP-initatiated SSO and the one described bellow) should be active and visible to your users. More details on how to configure a Bookmark app that will force SP-initiated SSO can be found at the end of this guide.

Step 1. Configure a SAML App on Google

  • As an administrator on your Google account go to https://admin.google.com/ and click on Apps→SAML Apps. On the apps listing page click on the plus sign at the bottom right to create a new SAML App. On the pop-up modal, click on the "Setup my own custom app" at the bottom


  • In the next page mark down the SSO URL, Entity ID values and download the Certificate because you will need them to configure your Talentlms domain.

  • In the next page give a name and a description to your SAML app and upload a logo image

  • In the next page you have to insert the Service Provider (Talentlms) details. You will need to get from Talentlms the ACS URL, and Entity ID. Go to your Talentlms domain and navigate to Account&Settings→Users→SSO. At the bottom of the page you will see those values. Copy and paste them in this page. On Start URL field type the following value:
    https://{your-domain}.talentlms.com/index/ssologin/service:saml where {your-domain} is your Talentlms domain name.
    Uncheck Signed Response checkbox.
    Choose Basic information and Primary Email on Name ID option and finally set Name ID Format to UNSPECIFIED.
 
  • In the next page you have to configure the mappint of user's account values to SAML attributes. The image bellow is just a suggestion. You can name your SAML attributes as you like. However you should use the exact same names when configuring Talentlms

  • Once the app is configured, it will not work until you turn it on for your domain. You can turn in on for everyone in your organization or for specific organizations.

Step 2. Enabling SAML SSO in your TalentLMS domain

Login to your TalentLMS domain as a super-admin and go to Account & SettingsUsers. If your subscription plan supports SSO Integrations (currently supported in Basic, Plus and Premium plans), you can click on Single Sign-On (SSO) link.

In this page you should fill-in information regarding the Talentlms SAML App on Google.

  • SSO integration type: choose SAML2.0 from the drop-down list

  • Identity provider (IdP): copy and paste the Entity ID vale from Step 2 of App's configuration page.
     

  • Certificate fingerprint: Download and open the certificate from  Step 2 of App's configuration page and open it with your favourite text editor.  Copy the contents and paste them in the text area that will appear when you click on the “paste your SAML certificate (PEM format)” link. The SHA-1 Certificate fingerprint will be computed when you click on the Save button.

  • Remote sign-in URL: copy and paste the SSO URL value from Step 2 of App's configuration page.
     

  • Remote sign-out URL: This field can be left blank

The rest of the fields are used to define the variable names of the SAML protocol containing user data provided by Google, that is essential for TalentLMS.

  • TargetedID: this is the username of the user account and should be a unique identifier for each user. For this App you will have to use email
    Type Email in this field.

  • First name: the first name of the user.
    Type FirstName in this field. 

  • Last Name: the last name of the user.
    Type LastName in this field.

  • Email: the email address of the user.
    Type Email in this field.

  • Group: the group(s) name(s) that the user is member of. This SAML variable may hold a single string value (group name) or an array of string values (groups names). If group with the same name exists in your Talentlms domain, then the user will be assigned in that group and will get all courses of that specific group on his/her first login. The option “Add assigned groups with each login” can be selected to force group assignment on each login. Have in mind that with this option the user is not removed from groups to match those send by your IdP. Instead, only assignments to new groups are performed.

    Now click on the Save button at the bottom of the page. Your configuration page should look like this:

 
  • To check your configuration, click on the Save and check your configuration button. If the above steps are performed correctly, you should see a success message and the values fetched from Google for the SAML attributes defined in TalentLMS (TargetedID, First name, Last name and Email).
     

Workaround on creating a Bookmark App that will force SP-initiated SSO

Assuming that you already have configured a custom app that works with Talentlms following the instructions aboove and it's name is "TalentLMS" you need to create a new custom app that will act as a bookmark, ie will just redirect user to a specific Talentlms endpoint. Let's call this new app "Talentlms Bookmark App".

To create the bookmark app, you just need to follow only the instructions described in Step 1 above.

After clicking on "Setup my own custom app" do the following:
Google IdP Information: click next. You will not need anything from this page. You've already configured the "TalentLMS" SSO app to work with Talentlms.
Basic information for your Custom App
Application name: Talentlms Bookmark App (or any other distinctive name that will make your users to use this app, instead of the "TalentLMS" app)
Description: optional
Upload logo: a logo of your choice
Service Provider Details:
ACS URL: https://{your-domain}.talentlms.com/index/ssologin/service:saml
Entity ID: dummyentity-{your-domain}.talentlms.com
Start URL: https://{your-domain}.talentlms.com/index/ssologin/service:saml
Leave other options with their default values
Attribute Mapping: just click on "FINISH" (You don't need to define mapping, you already did on the "TalentLMS" SSO app that works with Talentlms)
Then turn the app "On for everyone" as you did with the "TalentLMS" app

When your users click on this app (named "Talentlms Bookmark App") they will in fact be redirected to the URL defined under the ACS URL option which will force an SP-initiated SSO. Then the Talentlms will send a SAML request to the initially configured Talentlms app (named "TalentLMS") to provide SSO to your users.

User Account Matching

At the time of writing of this document TalentLMS provides a passive mechanism for User Account Matching. This means that existing TalentLMS user accounts are matched against SSO user accounts based on their username (TargetedID).

User account matching is only possible in the case where the username (TargetedID) provided by Google is exactly the same with the an existing TalentLMS account's username. In this case the TalentLMS user account state will remain unchanged during SSO login process. However first name, last name, and email will be pulled from Google and will replace existing values.

If the username (TargetedID) provided by Google, for an existing TalentLMS user, is different from his/her TalentLMS username, a new account will be created with the Google provided username (TargetedID). In this case there will be two different accounts for the same person.

To ensure that User Account Matching will performed successfully, you should configure Google TalentLMS App to sent the same username for existing user accounts. The SAML 2.0 attribute name that carries the username is the TargetedID field with value targetedid and can be configured to sent a unique per user value from the Single Sign-on Tab of the Google App configuration page. Refer to Step 1 of this guide for further details.

User Profile

Even though your users are allowed to change their profile (first name, last name, email and username) this is strongly discouraged. Changing first name, last name and email will impact only the current session. The next time a user signs-in, those values will be pulled from Google. Changing the username, will result on the undesirable effect of user mismatching, since users are matched based on this value. So, you should notify your users how SSO affects your TalentLMS domain and avoid changing first name, last name, email and especially username from their profile.

If your users are authenticated only through SSO it is a good practice to disable profile updates for your users by changing the specific user group permissions. To disable profile updates for your learners go to dashboard click on User Types →Learner-Type→ Generic → Profile and make sure that "Update" and "Change password" are not checked.

Congratulations

You have now configured your TalentLMS domain to provide SSO services. Your users may login to your TalentLMS domain using the username and password stored in Google.

Feedback and Knowledge Base