How to configure SSO with OneLogin

TalentLMS supports Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (such as OneLogin) rather than obtaining and using a separate username and password handled by TalentLMS.

Under the SSO setup, TalentLMS can work as a Service Provider (SP) through SAML (Secure Assertion Markup Language) allowing you to provide Single Sign On (SSO) services for your domain.

The SSO SAML Integration is available in Basic, Plus and Premium subscription plans.

What you will need, is an account in OneLogin which will handle the sign-in process and will eventually provide the authentication credentials of your users to TalentLMS. TalentLMS users authenticated through OneLogin are handled from OneLogin and any change they perform on their account (namely first name, last name, and email) are synced back to their TalentLMS account. The only user data that is necessary for TalentLMS is a unique identifier for each user, user's first name, last name and email. User's email is used by default as a unique identifier for each user. However, this can be changed and you can choose the Active Directory or LDAP username instead, if your OneLogin users are retrieved from your Active Directory or LDAP server. TalentLMS does not store passwords.

Step 1. OneLogin Configuration

  • Login to Onelogin and navigate to Apps→Find Apps, and type TalentLMS in the search field. Then click on add link.
 
  • In the next page check on Allow sign-in for assumed users, select your organization in the "This app will be used by" radio group and click on Continue.


  • In the Configuration Tab, type your full TalentLMS domain name into the Subdomain field and click on Update. In this example the SSO-enabled TalenLMS domain is ssointer.talentlms.com.
   
  • In the Single Sign-on Tab, you can view the Identity Provider id (Issuer URL) and the SAML login/logout endpoints . You will need them later on, when configuring your TalentLMS domain. Select Configured by admin in the Credentials radio group. In the Default values area you can define which attributes OneLogin will send to TalentLMS. It is advised to select the default values.
    Care should be given though in Name Identifier (Subject) and Targeted Id. Those attributes define uniquely your users and should not change. In case your OneLogin account is connected to you Active Directory or LDAP server it is strongly advised to select Username for these two fields. Have in mind that the first time a user tries to login to your TalentLMS domain through OneLogin, a new TalentLMS user account is created based on Targeted ID value. If Targeted Id value for a specific user changes through time (for example Targeted Id is user's email, which may be updated by the user in his/her profile page), then the next time the user will try to login, a new TalentLMS user account will be created based on the new value of Targeted Id. This means that for the same person two or more TalentLMS account may be created. This is an undesirable effect and should be avoided by choosing a unique for each user value in Name Identifier (Subject) and Targeted Id attributes.
    At the bottom of this page you can find the x.509 certificate. You will need this later on, when configuring your TalentLMS domain.
  
Step 2. Enabling SAML SSO in your TalentLMS domain

Login to your TalentLMS domain as a super-admin and go to Account & SettingsUsers. If your subscription plan supports SSO Integrations (currently supported in Basic, Plus and Premium plans), you can click on Single Sign-On (SSO) link.

In this page you should fill-in information regarding the Talentlms OneLogin App.

  • SSO integration type: choose SAML2.0 from the drop-down list

  • Identity provider (IdP): type the Identity Provider's URL. This is the Issuer URL found in the Single Sign-on Tab of the OneLogin App configuration page.



  • Certificate fingerprint: copy the x.509 certificate contents from the bottom of the Single Sign-on Tab of the OneLogin App configuration page. Then paste them in the text area that will appear when you click on the “paste your SAML certificate (PEM format)” link. The SHA-1 Certificate fingerprint will be computed when you click on the Save button.


  • Remote sign-in URL: fill-in the OneLogin sign-in URL endpoint. This is the URL where TalentLMS will redirect your users for signing-in. You can find it in the Single Sign-on Tab of the OneLogin App configuration page.


  • Remote sign-out URL: fill-in the remote sign-out URL of your IdP. This is the URL that TalentLMS will redirect your users when they sign-out. You can find it in the Single Sign-on Tab of the OneLogin App configuration page.



The rest of the fields are used to define the variable names of the SAML protocol containing user data provided by OneLogin, that is essential for TalentLMS.

  • TargetedID: this is the username of the user account and should be a unique identifier for each user.
    Type targetedid in this field.

  • First name: the first name of the user.
    Type User.FirstName in this field. 

  • Last Name: the last name of the user.
    Type User.LastName in this field.

  • Email: the email address of the user.
    Type User.Email in this field.

  • Group: the group(s) name(s) that the user is member of. This SAML variable may hold a single string value (group name) or an array of string values (groups names). If group with the same name exists in your Talentlms domain, then the user will be assigned in that group and will get all courses of that specific group on his/her first login. The option “Add assigned groups with each login” can be selected to force group assignment on each login. Have in mind that with this option the user is not removed from groups to match those send by your IdP. Instead, only assignments to new groups are performed.

    Now click on the Save button at the bottom of the page. Your configuration page should look like this:


 
  • To check your configuration, click on the Save and check your configuration button. If the above steps are performed correctly, you should see a success message and the values fetched from OneLogin for the SAML attributes defined in TalentLMS (TargetedID, First name, Last name and Email).

User Account Matching

At the time of writing of this document TalentLMS provides a passive mechanism for User Account Matching. This means that existing TalentLMS user accounts are matched against SSO user accounts based on their username (TargetedID).

User account matching is only possible in the case where the username (TargetedID) provided by OneLogin is exactly the same with the an existing TalentLMS account's username. In this case the TalentLMS user account state will remain unchanged during SSO login process. However first name, last name, and email will be pulled from OneLogin and will replace existing values.

If the username (TargetedID) provided by OneLogin, for an existing TalentLMS user, is different from his/her TalentLMS username, a new account will be created with the OneLogin provided username (TargetedID). In this case there will be two different accounts for the same person.

To ensure that User Account Matching will performed successfully, you should configure OneLogin TalentLMS App to sent the same username for existing user accounts. The SAML 2.0 attribute name that carries the username is the TargetedID field with value targetedid and can be configured to sent a unique per user value from the Single Sign-on Tab of the OneLogin App configuration page. Refer to Step 1 of this guide for further details.

User Profile

Even though your users are allowed to change their profile (first name, last name, email and username) this is strongly discouraged. Changing first name, last name and email will impact only the current session. The next time a user signs-in, those values will be pulled from OneLogin. Changing the username, will result on the undesirable effect of user mismatching, since users are matched based on this value. So, you should notify your users how SSO affects your TalentLMS domain and avoid changing first name, last name, email and especially username from their profile.

If your users are authenticated only through SSO it is a good practice to disable profile updates for your users by changing the specific user group permissions. To disable profile updates for your learners go to dashboard click on User Types →Learner-Type→ Generic → Profile and make sure that "Update" and "Change password" are not checked.

Congratulations

You have now configured your TalentLMS domain to provide SSO services. Your users may login to your TalentLMS domain using the username and password stored in OneLogin.

Feedback and Knowledge Base