How to configure SSO with Okta

TalentLMS supports Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (such as Okta) rather than obtaining and using a separate username and password handled by Talent LMS.
 
Under the SSO setup, TalentLMS can work as a Service Provider (SP) through SAML (Secure Assertion Markup Language) allowing you to provide Single Sign On (SSO) services for your domain.
 
The SSO SAML Integration is available in Basic, Plus and Premium subscription plans.
 
What you will need is an account in Okta which will handle the sign-in process and will eventually provide the authentication credentials of your users to TalentLMS. TalentLMS users authenticated through Okta are handled from Okta and any change they perform on their account (namely first name, last name, and email) are synced back to their TalentLMS account. The only user data that is necessary for TalentLMS is a unique identifier for each user (Username), user's first name, last name and email. TalentLMS does not store passwords.


Okta and TalentLMS Configuration

A complete step-by-step guide  on configuring the TalentLMS App at Okta is provided by Okta to registered users. Login to your Okta account for further details.
Have in mind that TalentLMS only supports an SP-initiated SSO. In this case Okta recommends to hide the TalentLMS app and set up a Bookmark app with the TalentLMS logo. Instructions on how to setup a Bookmark App are provided by Okta to registered users.
 

User Account Matching

 
At the time of writing of this document TalentLMS provides a passive mechanism for User Account Matching. This means that existing TalentLMS user accounts are matched against SSO user accounts based on their username (TargetedID).
 
User account matching is only possible in the case where the username (TargetedID) provided by Okta is exactly the same with an existing TalentLMS account's username. In this case the TalentLMS user account state will remain unchanged during SSO login process. However first name, last name, and email will be pulled from Okta and will replace existing values.
 
If the username (TargetedID) provided by Okta for an existing TalentLMS user is different from his/her TalentLMS username, a new account will be created with the Okta provided username (TargetedID). In this case there will exist two different accounts for the same person.
 
To ensure that User Account Matching will performed successfully, you should configure Okta Talentlms App to sent the same username for existing user accounts.  
 

User Profile

Even though your users are allowed to change their profile (first name, last name, email and username) this is strongly discouraged. Changing first name, last name and email will impact only the current session. The next time a user signs-in, those values will be pulled from Okta. Changing the username, will result on the undesirable effect of user mismatching, since users are matched based on this value. So, you should notify your users how SSO affects your TalentLMS domain and avoid changing first name, last name, email and especially username from their profile.

If your users are authenticated only through SSO it is a good practice to disable profile updates for your users by changing the specific user group permissions. To disable profile updates for your learners go to dashboard click on User Types→ Learner-Type→ Generic→ Profile and make sure that "Update" and "Change password" are not checked (1).

Congratulations
 
You have now configured your TalentLMS domain to provide SSO services. Your users may login to your TalentLMS domain using the username and password stored in Okta.
 

Feedback and Knowledge Base