How to configure SSO with an LDAP identity provider

TalentLMS supports Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (IdP) or your corporate user database rather than obtaining and using a separate username and password handled by TalentLMS.

Under the SSO setup, TalentLMS can work as a Service Provider (SP) allowing you to provide Single Sign On (SSO) services for your domain.

The SSO LDAP Integration is available in Basic, Plus and Premium subscription plans.

What you will need is an enterprise LDAP Identity Provider (IdP) which will handle the sign-in process and will eventually provide the authentication credentials of your users to TalentLMS. TalentLMS users authenticated through your LDAP IdP are handled from your IdP and any change they perform on their account (namely first name, last name, and email) is synced back to their TalentLMS account. The only user data that is necessary for TalentLMS is a unique identifier for each user, user's first name, last name and email. TalentLMS does not store passwords.

What you will need to configure LDAP SSO are:

  • the URL and the port of the LDAP Identity Provider (IdP) handling user sign-in requests
  • your LDAP server must allow incoming connections from TalentLMS
  • the DN pattern of your LDAP configuration
  • the username attribute of your LDAP configuration

Enabling LDAP SSO in your TalentLMS domain

Login to your TalentLMS domain as a super-admin and go to Account & SettingsUsers. If your subscription plan supports SSO Integrations (currently supported in Basic, Plus and Premium plans), you can click on Single Sign-On (SSO) link.

  • LDAP server: the URL or IP of your LDAP server
  • Server port: the port of your LDAP server
  • SSL/TLS enabled: select Yes if your LDAP server supports SSL/TLS. If your server supports SSL/TLS, then the LDAP server field should be of the form ldaps://ldap-hostname and in most cases the Server port should be set to 636.
  • Bind DN and Bind password: this is optional. Fill-in Bind DN and Bind password based on your LDAP server configuration
  • DN pattern: fill-in the DN pattern of your LDAP configuration that will allow user authentication to the LDAP database. DN pattern defined here is part of the authentication string consisting of i) the Username attribute (ususally uid) defined bellow, ii) the username of the user filled in the login form and iii) the DN pattern defined here. For example if the DN pattern is defined as ou=people,dc=example,dc=org, the username attribute is defined as uid, and the username filled in the login form is talentuser, then the authentication string send to your LDAP server will be uid=talentuser,ou=people,dc=example,dc=org

The rest of the fields are optional and can be left blank for most LDAP IdP deployments. In this case default values will be applied. These fields define the attribute names of the LDAP protocol containing user data provided by your IdP that is essential for TalentLMS.

  • Username: fill-in the username attribute. Usually uid. Have in mind that this value will be combined with the DN pattern defined above, and the username of your users to form the authentication string send in your LDAP server.
  • Full name: fill-in the full name attribute of the user. Default value: displayName
  • Email: fill-in the email attribute of the user. Default value: mail. Note that email is essential for TalentLMS communication, so you should make sure that all users have valid email addresses.

User Profile

Even though your users are allowed to change their profile (first name, last name, email and username) this is strongly discouraged. Changing first name, last name and email will impact only the current session. The next time a user signs-in, those values will be pulled from your LDAP server. Changing the username, will result on the undesirable effect of user mismatching, since users are matched based on this value. So, you should notify your users how SSO affects your TalentLMS domain and avoid changing first name, last name, email and especially username form their profile.

If your users are authenticated only through SSO it is a good practise to disable profile updates for your users by changing the specific user group permissions. To disable profile updates for your learners go to dashboard click on User Types Learner-Type Generic Profile and make sure that "Update" and "Change password" are not checked.

Congratulations

You have now configured your TalentLMS domain to provide SSO services. Your users may login to your TalentLMS domain using the username and password stored in your LDAP server.

Feedback and Knowledge Base