How to configure SSO with Azure Active Directory

TalentLMS supports Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (IdP) rather than obtaining and using a separate username and password handled by TalentLMS.

Under the SSO setup, TalentLMS can work as a Service Provider (SP) through SAML (Secure Assertion Markup Language), allowing you to provide Single Sign On (SSO) services for your domain.

The SSO SAML Integration is available in Basic, Plus and Premium subscription plans.

What you will need is a valid subscription in Azure AD which will handle the sign-in process and will eventually provide the authentication credentials of your users to TalentLMS. TalentLMS users authenticated through Azure AD are handled by Azure AD and any change they perform on their account (namely first name, last name, and email) is synced back to their TalentLMS account. The only user data that is necessary for TalentLMS is a unique identifier for each user, user's first name, last name and email. TalentLMS does not store passwords.

Section A. Configuring SSO for TalentLMS domains of the form http://{domain name}.talentlms.com" using the TalentLMS App in Azure's App gallery

Step 1. Azure AD configuration

In the Azure Management Portal, on the left navigation pane, click on the Active Directory icon. Click on the directory title for which you want to configure SSO, then click on the Application button from the top menu. Click Add at the bottom of the page to add the TalentLMS App from Azure's App gallery. On the What do you want to do dialog, click on the Add an application from the gallery, and then type "TalentLMS" on the search box and hit enter. On the results, select the "TalentLMS" App and click Complete to add the application.

On the TalentLMS application page, click on the “Configure single sign-on”.

On the “How would you like users to sign on to TalentLMS” dialog, select “Windows Azure AD Single Sign-On”, and then click Next.

On the Configure App Settings URL dialog, in the SIGN ON URL field type the secure URL of your domain (i.e. starting with https://), in the IDENTIFIER field type the "Entity ID" found in Talentlms' SSO configuration page.

Then click on Show advanced settings and type on the REPLY URL the "Assertion Consumer Service (ACS) URL" found in Talentlms' SSO configuration page.



On the Configure single sign-on at TalentLMS dialog, write down the Identity Provider ID, Remote Login URL, Remote Logout URL values, and the Thumbprint value, of the certificate.


Step 2. Enabling SAML SSO in your TalentLMS domain
 

Login to your TalentLMS domain as a super-admin and go to Account & SettingsUsers. If your subscription plan supports SSO Integrations (currently supported in Basic, Plus and Premium plans), you can click on Single Sign-On (SSO) link.

In this page you should fill-in information regarding your Identity Provider (Azure AD).

  • SSO integration type: Choose SAML2.0 from the drop-down list

  • Identity provider (IdP): type the Identity Provider's (IdP) URL from Azure's Configure single sign-on at TalentLMS dialog page.
    NOTE: Do not check the Azure AD checkbox when configuring the Azure's TalentLMS App from App gallery. This option need to be checked when configuring a custom Azure App in order to configure SSO for custom TalentLMS domains (Refer to Section B for more details).

  • Certificate fingerprint: type the certificate fingerprint from Azure's Configure single sign-on at TalentLMS dialog page.
     

  • Remote sign-in URL: fill-in the remote sign-in URL from Azure's Configure single sign-on at TalentLMS dialog page.

  • Remote sign-out URL: fill-in the remote sign-out URL from Azure's Configure single sign-on at TalentLMS dialog page.

The rest of the fields are used to define the variable names of the SAML protocol containing user data provided by your IdP, that is essential for TalentLMS. Avoid the use of variable names with underscores ( _ ). For example do not configure your IdP to send First Name with the variable "given_name". Instead prefer to use "givenname".

  • TargetedID: this is the username of the user account and should be a unique identifier for each user.
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

  • First name: the first name of the user.
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

  • Last Name: the last name of the user.
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

  • Email: the email address of the user.
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    Note that email is essential for TalentLMS communication, so you should make sure that all users have valid email addresses.
    Note that based on your AzureAD configuration, this attribute may not be sent at all. Use the TargetedId attribute name (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name) instead, if its value is user's email.

  • Group: the group(s) name(s) that the user is member of. This SAML variable may hold a single string value (group name) or an array of string values (groups names). If group with the same name exists in your Talentlms domain, then the user will be assigned in that group and will get all courses of that specific group on his/her first login. The option “Add assigned groups with each login” can be selected to force group assignment on each login. Have in mind that with this option the user is not removed from groups to match those send by your IdP. Instead, only assignments to new groups are performed.




Section B. Configuring SSO for custom TalentLMS domains configuring a custom App in Azure AD


The TalentLMS App in Azure's App gallery only supports TalentLMS domains of the form http://{domain name}.talentlms.com. If you have configured a custom domain in your TalentLMS account, you need to configure a custom App in Azure AD.

NOTE:
Have in mind that the whole SSO authentication process is carried out over secure HTTP. So it is mandatory to map your SSL certificate to your custom TalentLMS domain before configuring SSO described below. Contact TalentLMS support for further details on how to setup your SSL certificate for your custom TalentLMS domain.

Step 1. Azure AD configuration

In the Azure Management Portal, on the left navigation pane, click on the Active Directory icon. Click on the directory title for which you want to configure SSO, and then click on the Application button from the top menu. Click Add at the bottom of the page and then on the "What do you want to do?" dialog, click on Add an application my organization is developing.

On the next dialog type a name for your App and choose Web Application AND/OR Web API.


On the next dialog type the
- Sign-On URL as 
https://{your custom domain}
- and the App ID URL as
http://{your custom domain}.
Note that
 App ID URL is defined with plain http protocol (http://) while the Sing-On URL with secure http protocol (https://).

Then click the tick mark at the bottom right corner to save the application.

Go to the application listed in the directory and select the one you've just created.

Click on the View endpoints on the bottom bar.

Go to the FEDERATION META DOCUMENT url, and copy the X509 certificate value. In the XML document you can find that value in the tag <X509Certificate> under <ds:Signature>. In order to get the SHA1 fingerprint of the certificate, go to https://www.samltool.com/fingerprint.php and paste the X509 certificate value extracted from the XML.

Write down the SAML-P Sign-On Endpoint and the SAML-P Sign-Out Endpoint URLs

Click on Configure from the top menu, and scroll down to Reply URL. Type the following value
https://{your custom domain}/simplesaml/module.php/saml/sp/saml2-acs.php/
{your custom domain}

NOTE: in case you wish to configure SSO for your branches, you can add the respective Reply URL for each branch. Just replace {your custom domain} value with your branch's custom domain, in the above URL.


Step 2. Enabling SAML SSO in your TalentLMS domain 

Login to your TalentLMS domain as a super-admin and go to Account & SettingsUsers. If your subscription plan supports SSO Integrations (currently supported in Basic, Plus and Premium plans), you can click on Single Sign-On (SSO) link.

In this page you should fill-in information regarding your Identity Provider (Azure AD).

  • SSO integration type: Choose SAML2.0 from the drop-down list

  • Identity provider (IdP): type the Identity Provider's (IdP) URL from Azure. That URL is of the form
    https://sts.windows.net/{ID}/ (ID value is the same found on SAML-P Sign-On Endpoint and  SAML-P Sign-Out Endpoint urls)
    Check the Azure AD checkbox next to Identity provider (IdP) textbox.

  • Certificate fingerprint: type the certificate fingerprint computed earlier.
     

  • Remote sign-in URL: fill-in the remote sign-in URL from Azure's endpoints dialog page (SAML-P Sign-On Endpoint).

  • Remote sign-out URL: fill-in the remote sign-out URL from Azure's endpoints dialog page (SAML-P Sign-Out Endpoint).

The rest of the fields are used to define the variable names of the SAML protocol containing user data provided by your IdP, that is essential for TalentLMS. Avoid the use of variable names with underscores ( _ ). For example do not configure your IdP to send First Name with the variable "given_name". Instead prefer to use "givenname".

  • TargetedID: this is the username of the user account and should be a unique identifier for each user.
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

  • First name: the first name of the user.
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

  • Last Name: the last name of the user.
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

  • Email: the email address of the user.
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    Note that email is essential for TalentLMS communication, so you should make sure that all users have valid email addresses.

  • Group: the group(s) name(s) that the user is member of. This SAML variable may hold a single string value (group name) or an array of string values (groups names). If group with the same name exists in your Talentlms domain, then the user will be assigned in that group and will get all courses of that specific group on his/her first login. The option “Add assigned groups with each login” can be selected to force group assignment on each login. Have in mind that with this option the user is not removed from groups to match those send by your IdP. Instead, only assignments to new groups are performed.


User Account Matching

At the time of writing of this document TalentLMS provides a passive mechanism for User Account Matching. This means that existing TalentLMS user accounts are matched against SSO user accounts based on their username.

User account matching is only possible in the case where the username provided from your IdP is exactly the same with an existing TalentLMS account's username. In this case the TalentLMS user account state will remain unchanged during SSO login process. However first name, last name, and email will be pulled from your IdP and will replace existing values.

If the username provided by your IdP, for an existing TalentLMS user, is different from his/her TalentLMS username, a new account will be created with the IdP provided username. In this case two different accounts will exist for the same person.

To ensure that User Account Matching will performed successfully, you should configure your IdP to sent the same username for existing user accounts. The SAML 2.0 attribute name that carries the username can be defined in the TargetedID field at the TalentLMS SSO configuration page.

User Profile

Even though your users are allowed to change their profile (first name, last name, email and username) this is strongly discouraged. Changing first name, last name and email will impact only the current session. The next time a user signs-in, those values will be pulled from your IdP server. Changing the username, will result on the undesirable effect of user mismatching, since users are matched based on this value. Therefore, you should notify your users about how SSO affects your TalentLMS domain and avoid changing first name, last name, email and especially username from their profile.

If your users are authenticated only through SSO it is a good practice to disable profile updates for your users by changing the specific user group permissions. To disable profile updates for your learners go to dashboard click on User Types →Learner-Type→ Generic → Profile and make sure that "Update" and "Change password" are not checked.

Congratulations

You have now configured your TalentLMS domain to provide SSO services. Your users may login to your TalentLMS domain using the username and password handled by the Azure Active Directory.

Feedback and Knowledge Base