How to configure SSO with a SAML 2.0 identity provider

TalentLMS supports Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (IdP) rather than obtaining and using a separate username and password handled by TalentLMS.

Under the SSO setup, TalentLMS can work as a Service Provider (SP) through SAML (Secure Assertion Markup Language) allowing you to provide Single Sign On (SSO) services for your domain.

The SSO SAML Integration is available in Basic, Plus and Premium subscription plans.

What you will need is a SAML Identity Provider (IdP) which will handle the sign-in process and will eventually provide the authentication credentials of your users to TalentLMS. TalentLMS users authenticated through your SAML IdP are handled from your IdP and any change they perform on their account (namely first name, last name, and email) is synced back to their TalentLMS account. The only user data that is necessary for TalentLMS is a unique identifier for each user, user's first name, last name and email. TalentLMS does not store passwords.

What you will need to configure SAML SSO are:

  • the version of the SAML Identity Provider (IdP). Currently TalentLMS supports SAML 2.0
  •  the URL of the SAML Identity Provider (IdP) handling user sign-in requests
  •  the remote sign-in URL where TalentLMS redirects users for signing-in
  •  the  remote sign-out URL where TalentLMS redirects users for signing-out
  •  the fingerprint of the SAML certificate that the IdP uses to sign the SAML assertions sent to TalentLMS. The SAML certificate is usually provided in PEM format from the IdP. Keep in mind that TalentLMS will only work with RSA certificates. DSA certificates are not supported.

Enabling SAML SSO in your TalentLMS domain

Login to your TalentLMS domain as a super-admin and go to Account & SettingsUsers. If your subscription plan supports SSO Integrations (currently supported in Basic, Plus and Premium plans), you can click on Single Sign-On (SSO) link.

  • SSO integration type: Choose SAML2.0 from the drop-down list
  • Identity provider (IdP): type the Identity Provider's (IdP) URL  
  • Certificate fingerprint: fill-in the SHA-1 SAML certificate fingerprint provided by your IdP. Alternatively, you can download the SAML certificate in PEM format from your IdP, open it with your favorite text editor, and transfer its contents in the text area that will appear when you click on the “paste your SAML certificate (PEM format)” link. The SHA-1 SAML Certificate fingerprint will be computed when you click on the Save button. Keep in mind that TalentLMS will only work with RSA certificates. DSA certificates are not supported.
  • Remote sign-in URL: fill-in the remote sign-in URL of your IdP. This is the URL where TalentLMS will redirect your users for signing-in
  • Remote sign-out URL: fill-in the remote sign-out URL of your IdP. This is the URL that TalentLMS will redirect your users when they sign-out.

The rest of the fields are optional and can be left blank for most SAML IdP deployments. In this case default values will be applied. These fields define the variable names of the SAML protocol containing user data provided by your IdP,  that is essential for TalentLMS.

  • TargetedID: this is the username of the user account and should be a unique identifier for each user. Default value: urn:oid:1.3.6.1.4.1.5923.1.1.1.10. In case your users are uniquely identified by another SAML variable, you should set it here. However, TargetedID variable suffices for this purpose.
  • First name: the first name of the user. Default value: urn:oid:2.5.4.42   
  • Last Name: the last name of the user. Default value: urn:oid:2.5.4.4      
  • Email: the email address of the user. Default value: urn:oid:0.9.2342.19200300.100.1.3 Note that email is essential for TalentLMS communication, so you should make sure that all users have valid email addresses.
  • Group: the group(s) name(s) that the user is member of. This SAML variable may hold a single string value (group name) or an array of string values (groups names). If group with the same name exists in your Talentlms domain, then the user will be assigned in that group and will get all courses of that specific group on his/her first login. The option “Add assigned groups with each login” can be selected to force group assignment on each login. Have in mind that with this option the user is not removed from groups to match those send by your IdP. Instead, only assignments to new groups are performed.
Avoid the use of variable names with underscores ( _ ). For example do not configure your IdP to send First Name with the variable "first_name". Instead prefer to use "firstname".

Identity provider (IdP) configuration

The next step is to ensure that your IdP is capable of communication with your SAML-enabled TalentLMS service provider. Bellow you can find  all you need for your IdP configuration. Replace [your domain] with your domain name. For example if you access your TalentLMS through example.talentlms.com, then replace [your domain] with example. 

  • The Entity ID of your TalentLMS Service Provider is: [your domain].talentlms.com
  • The Assertion Consumer Service (ACS) URL is: https://[your domain].talentlms.com/simplesaml/module.php/saml/sp/saml2-acs.php/[your domain].talentlms.com
  • The Single Logout Service URL is: https://[your domain].talentlms.com/simplesaml/module.php/saml/sp/saml2-logout.php/[your domain].talentlms.com

The Service Provider metadata for your domain can be obtained from the following URL:

https://[your domain].talentlms.com/simplesaml/module.php/saml/sp/metadata.php/[your domain].talentlms.com?output=xhtml

User Account Matching

At the time of writing of this document TalentLMS provides a passive mechanism for User Account Matching. This means that existing TalentLMS user accounts are matched against SSO user accounts based on their username.

User account matching is only possible in the case where the username provided from your IdP is exactly the same with the an existing TalentLMS account's username. In this case, the TalentLMS user account state will remain unchanged during SSO login process. However first name, last name, and email will be pulled from your IdP and will replace existing values.

If the username provided by your IdP, for an existing TalentLMS user, is different from his/her TalentLMS username, a new account will be created with the IdP provided username. In this case there will exist two different accounts for the same person.

To ensure that User Account Matching will performed successfully, you should configure your IdP to sent the same username for existing user accounts. The SAML 2.0 attribute name that caries the username can be defined in the  TargetedID field at the Talentlms SSO configuration page.

User Profile

Even though your users are allowed to change their profile (first name, last name, email and username) this is strongly discouraged. Changing first name, last name and email will impact only the current session. The next time a user signs-in, those values will be pulled from your IdP server. Changing the username, will result on the undesirable effect of user mismatching, since users are matched based on this value. So, you should notify your users how SSO affects your TalentLMS domain and avoid changing first name, last name, email and especially username form their profile.

If your users are authenticated only through SSO it is a good practise to disable profile updates for your users by changing the specific user group permissions. To disable profile updates for your learners go to dashboard click on User Types Learner-Type Generic Profile and make sure that "Update" and "Change password" are not checked (1).


Known issues

Have in mind that TalentLMS only supports an SP-initiated SSO. In order to force SP-initiated SSO from the IdP side, it is recommended to redirect your users to https://{your-domain}/index/ssologin/service:saml by creating a custom bookmark app on your IdP. By clicking the bookmark app, users will be redirected to Talentlms, forcing an SP-initiated SSO. 

Congratulations

You have now configured your TalentLMS domain to provide SSO services. Your users may login to your TalentLMS domain using the username and password stored in your SAML Identity Provider.


Feedback and Knowledge Base