How to configure SSO with OpenID Connect

TalentLMS supports Single Sign-On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (IdP) rather than obtaining and using a separate username and password handled by TalentLMS.

Under the SSO setup, TalentLMS can work as a Service Provider (SP) allowing you to provide Single Sign-On (SSO) services for your domain.

The SSO OpenID Connect Integration is available in Basic, Plus and Premium subscription plans.

You will need an OpenID Connect Identity Provider (IdP), which will handle the sign-in process and will eventually provide the authentication credentials of your users to TalentLMS. TalentLMS users authenticated through your OpenID Connect IdP are handled from your IdP and any change they perform on their account (namely first name, last name, and email) is synced back to their TalentLMS account. The only user data that is necessary for TalentLMS is a unique identifier for each user, user's first name, last name, and email. TalentLMS does not store passwords.

What you will need to configure SSO with  OpenID Connect are:

  • the client id
  • the client secret
  • the OpenID Connect endpoint URLs

Enabling OpenID Connect SSO in your TalentLMS domain

Log in to your TalentLMS domain as a super-admin and go to Account & SettingsUsers. If your subscription plan supports SSO Integration (currently supported in Basic, Plus and Premium plans), you can click on Single Sign-On (SSO) link.

  • SSO integration type: Choose OpenID Connect from the drop-down list.
  • Client id: is the OpenID Connect client id provided by your IdP.  
  • Client secret: is the OpenID Connect client secret provided by your IdP.
  • Token endpoint URL: is the OpenID Connect token endpoint URL provided by your IdP.
  • User info endpoint URL: is the OpenID Connect User info endpoint URL provided by your IdP that holds user's profile data (name, email, username etc).
  • Authorization endpoint URL: is the OpenID Connect authorization endpoint URL where TalentLMS issues authentication requests.

The rest fields define the variable names of the OpenID Connect protocol containing user data provided by your IdP,  that is essential for TalentLMS.

  • Username: this is the username of the user account and should be a unique identifier for each user. Default value: uid
  • First name: the first name of the user. Default value: given_name   
  • Last Name: the last name of the user. Default value: family_name
  • Email: the email address of the user. Default value: email. Note that email is essential for TalentLMS communication, so you should make sure that all users have valid email addresses.
  • Group: the group(s) name(s) that the user is a member of. This variable may hold a single string value (group name) or an array of string values (groups names). If a group with the same name exists in your TalentLMS domain, then the user will be assigned to that group and will get all courses of that specific group on his/her first login. The option “Add assigned groups with each login” can be selected to force group assignment on each login. Have in mind that with this option the user is not removed from groups to match those sent by your IdP. Instead, only assignments to new groups are performed.
Identity provider (IdP) configuration

The next step is to ensure that your IdP is capable of communication with your SSO-enabled TalentLMS service provider. Below, you can find all you need for your IdP configuration. Replace [your domain] with your domain name. For example, if you access your TalentLMS through example.talentlms.com, then replace [your domain] with an example. 

  • The Authorized redirect URL is: https://[your domain].talentlms.com/simplesaml/module.php/openidconnect/resume.php
  • Post logout redirect URL is: https://[your domain].talentlms.com/index/logout. This is optional and is the TalentLMS endpoint where users are redirected after a successful logout from your IdP.

Configure SSO with Google OAuth 2.0 APIs which conform OpenID Connect Specification

Google's OAuth 2.0 APIs can be used for both authentication and authorization. Google's OAuth 2.0 implementation for authentication, conforms to the OpenID Connect specification and is OpenID Certified. Thus, it can be deployed to provide SSO services for TalentLMS.

Before TalentLMS can use Google's authentication system, you must configure a new project in the Google's API console to obtain OAuth2.0 credentials (ie. client id and secret) and set the Authorized redirect URL. Go to Google's API console (https://console.developers.google.com/) and create a new project. Then select "Credentials" from the left sidebar and click on the "Create credentials" button, and select "OAuth client ID".


Next, click on the "Configure consent screen" in order to provide information that the user is releasing and the terms that apply when trying to login to TalentLMS through Google. You can configure there the product name shown to users, the homepage URL, the product logo URL, the privacy policy URL, and the terms of service URL. Click on "Save" and on the next screen select "Web application" from the available options, give a name and paste the "Authorized redirect URL" found at the bottom of the TalentLMS SSO configuration form.
This URL is of the form https://[your domain].talentlms.com/simplesaml/module.php/openidconnect/resume.php. You need to replace [your domain], with your actual TalentLMS domain and click on "Create".


Then, you will be provided with the Client id and client secret, which should be copied to the respective fields in the TalentLMS SSO with OpenID Connect form.


The OpenID Connect endpoints (token, user info, and authorization endpoints) can be found in the following OpenID Connect Discovery document

https://accounts.google.com/.well-known/openid-configuration

The following key/value pairs are found there and should be copied to the respective fields in the TalentLMS SSO with OpenID Connect form.

Token endpoint: https://www.googleapis.com/oauth2/v4/token

User info endpoint: https://www.googleapis.com/oauth2/v3/userinfo

Authorization endpoint: https://accounts.google.com/o/oauth2/v2/auth

You can let the rest fields with their default values:

Username: uid

First name: given_name

Last name: family_name

Email: email

Group: blank

Click on the "Save and check your configuration" button, login with your google account when prompted and inspect what attribute/value pairs Google sends for your account.

To further ensure that your domain is accessed only from your organization's accounts, you may restrict registration and thus access of users through OpenID Connect to specific domains, by filling appropriately the respective field "Restrict registration to specific domains" in Account & Settings → Basic settings → Security section for your main domain, or in Branch edit screen → Users section if you configuring OpenID Connect for a specific branch.


User Account Matching

At the time of writing of this document, TalentLMS provides a passive mechanism for User Account Matching. This means that existing TalentLMS user accounts are matched against SSO user accounts based on their username.

User account matching is only possible in the case where the username provided from your IdP is exactly the same with an existing TalentLMS account's username. In this case, the TalentLMS user account state will remain unchanged during SSO login process. However first name, last name, and email will be pulled from your IdP and will replace existing values.

If the username provided by your IdP, for an existing TalentLMS user, is different from his/her TalentLMS username, a new account will be created with the IdP provided username. In this case, there will exist two different accounts for the same person.

To ensure that User Account Matching will be performed successfully, you should configure your IdP to sent the same username for existing user accounts. The OpenID Connect attribute name that carries the username can be defined in the  "Username" field at the Talentlms SSO configuration page.

User Profile

Even though your users are allowed to change their profile (first name, last name, email, and username) this is strongly discouraged. Changing the first name, last name and email will impact only the current session. The next time a user signs-in, those values will be pulled from your IdP server. Changing the username will result in the undesirable effect of user mismatching since users are matched based on this value. So, you should notify your users how SSO affects your TalentLMS domain and avoid changing the first name, last name, email and especially username form their profile.

If your users are authenticated only through SSO it is a good practice to disable profile updates for your users by changing the specific user group permissions. To disable profile updates for your learners go to dashboard click on User Types Learner-Type Generic Profile and make sure that "Update" and "Change password" are not checked (1).


Known issues

Have in mind that TalentLMS only supports an SP-initiated SSO. In order to force SP-initiated SSO from the IdP side, it is recommended to redirect your users to https://{your-domain}/index/ssologin/service:oidc by creating a custom bookmark app on your IdP. By clicking the bookmark app, users will be redirected to Talentlms, forcing an SP-initiated SSO. 

Congratulations

You have now configured your TalentLMS domain to provide SSO services. Your users may log in to your TalentLMS domain using the username and password stored in your OpenID Connect Identity Provider.


Feedback and Knowledge Base