Salesforce, Okta, Azure AD and other Single Sign-On Integrations with SAML 2.0

Follow

Your domain can be configured to use SAML 2.0 to authenticate users. In this scenario, Skilljar acts as a SAML Service Provider (SP), and you must supply a SAML Identity Provider (IdP). Once configured, learners will no longer see the Skilljar-provided Sign-in and Sign-up pages, but are instead redirected to the configured SAML Identity Provider for authentication.

Skilljar supports both SAML Single Sign-On and Single Logout. Both of which may be either IdP initiated or SP initiated. It is important to note that not all SAML Identity Providers support Single Logout (i.e. Salesforce) - and in such a case, learners who sign out on the Identity Provider, say Salesforce, may still be signed-in on Skilljar until they click the "Sign Out" link from the header.

Don't want to use SAML 2.0? Go here to see other SSO options!

Basic Setup

SSO configuration is a manual process, and you will work with your Skilljar Customer Success Manager to configure your domain.  Configuration requires providing some standard SAML IdP information to Skilljar, and configuring some SAML SP settings on your Identity Provider. Identity-provider-specific examples are included in later sections of this document.

Initial SP settings provided by Skilljar include the following:

    • SP EntityID: Typically this is the name of your Skilljar domain, i.e.: http://yourdomain.skilljar.com/ (note the trailing slash is necessary here).
    • UID: This is the unique identifier of your domain.  

IdP settings to provide to Skilljar include the following:

  • IdP certificate: PEM-encoded x509 certificate used by the IdP.
  • IdP entity ID: The SAML EntityId of the IdP.
  • IdP SingleSignOnService URL: The URL of the IdP SingleSignOnService endpoint.  Skilljar supports HTTP-Redirect binding for this URL.
  • IdP SingleLogoutService URL (optional): The URL of the IdP SingleLogoutService endpoint.  Skilljar supports HTTP-Redirect binding for this URL. 
  • Assertion AttributeName FirstName: The SAML assertion attribute element's AttributeName which contains the first name of the user.
  • Assertion AttributeName LastName: The SAML assertion attribute element's AttributeName which contains the last name of the user.
  • Assertion AttributeName Email: The SAML assertion attribute element's AttributeName which contains the email address of the user.  If this is not supplied, Skilljar will use the assertion subject's NameIdentifier value as the user's email address.

SP settings provided by Skilljar contain the following:

  • SP EntityID: Typically this is the name of your Skilljar domain, i.e.: http://yourdomain.skilljar.com/ (note the trailing slash is necessary here).
  • SP certificate: PEM-encoded x509 certificate used by the SP.
  • AssertionConsumerService URL: URL endpoint of the AssertionConsumerService - typically is the format: https://accounts.skilljar.com/auth/saml/{UID}/acs.  Where {UID} is the unique identifier of your domain.  We require HTTP-POST binding for this endpoint.
  • SingleLogoutService URL: URL endpoint of the SingleLogoutService - typically is the format: https://accounts.skilljar.com/auth/saml/{UID}/sls.  Where {UID} is the unique identifier of your domain.  We require HTTP-Redirect binding for this endpoint.
  • NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.  This configuration parameter tells the IdP to send the NameIdentifier in email address format, as this value will be used as the user's email address unless the IdP has provided an Assertion AttributeName Email value as indicated above.

Once your domain has been configured for SAML, you can download an XML Metadata document containing the SP settings via the Skilljar Dashboard's domain settings page.

Use Salesforce as a SAML IdP

Salesforce can be configured as a SAML identity provider. Use this article as a reference for getting started.

Once you have Salesforce configured properly, you will want to add your Skilljar domain as a connected app (on Salesforce, from Setup, under AppSetup click Create | Apps). Under Connected Apps, click New to create a new connected app.

Pick an Connected App Name (in this example example we use yourdomain.skilljar.com)

Under Web App Settings set the following:

  • Start URL: Choose whatever URL you want your learner to start from when they click the application in Salesforce.  A good option is the root of your Skilljar domain: http://yourdomain.skilljar.com
  • Enable SAML: Check this box.
  • Entity Id: Skilljar-provided SP Entity ID - typically the name of your domain (including a trailing slash): http://yourdomain.skilljar.com/
  • ACS URL: Skilljar-provided AssertionConsumerService (from the metadata XML file): https://accounts.skilljar.com/auth/saml/12345abcdef/acs
  • Subject Type: Select Username
  • Name ID Format: Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • The rest of the fields should be left blank

Additional Details

After your connected app is created, click Manage to configured additional details, and collect the IdP information to supply to Skilljar.

Provide IdP Settings to Skilljar

Under SAML Login Information, click the Download Metadata button, and provide the XML document to Skilljar. This contains the Identity Provider information that we will use to configure SAML on your domain.

Custom Attributes

At the bottom of the Salesforce Manage App page, you may set Custom Attributes to configure the user's details on Skilljar. To add an attribute, click New, and add the attribute information you would like to include. For example:

  • Attribute key: lastname
  • Attribute value: $User.LastName

Supply these attribute keys to Skilljar, and we will configure your to pull the user's FirstName, LastName and Email from your custom attribute values.

Enabling Users

Back on the Salesforce Manage App page, you need to configure which users have access to the Skilljar app.  This will depend on how you want to manage your users, and there is significant documentation on Salesforce about Profiles and Permission Sets.  One quick way for testing is to click Manage Profiles and check the boxes of the profiles that you want to allow access to the Skilljar app.  You should click at least System Administrator so that you can test logging in yourself.

Use Okta as a SAML IdP

Click the Sign On tab in the Okta app admin page, and click the View Setup Instructions button.  At the bottom of the page, provide the data listed as necessary for SP Endpoint Configuration to Skilljar. Please be sure to include the IDP metadata, by clicking the Public Link on item #4.

In the Okta administration page, click Add Application and search for Skilljar. We will provide you with the UID and SP EntityID fields for your account.

For more information, check Okta's guide to setting up Skilljar: http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-skilljar.html

 

Use Azure Active Directory as a SAML IdP

Instructions for configuring Azure AD can be found in this detailed guide:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-skilljar-tutorial/

 

Have more questions? Submit a request

Comments

Powered by Zendesk