Configuring SAML 2.0 for Single Sign-On (SSO)

Avatar
by Skilljar SSE Team
Follow

Overview

Skilljar supports SAML 2.0 as a Single Sign On method that can be configured on your training site. In this method, Skilljar will act as the SAML Service Provider (sometimes referred to as a relying party or connected app), and will rely on your SAML Identity Provider to authenticate your users. When enabled, your users will no longer see the native Skilljar sign-in/sign-up pages, and will instead be redirected to the configured SingleSignOnService URL.

Setup

Configuring your training site to use SAML 2.0 for Single Sign On will require working with your dedicated Implementation Manager, CSM, or Skilljar’s Product Support Team.

To get started, here’s the list of Identity Provider settings that you’ll need to provide to Skilljar. This information is typically included in the IdP Metadata XML file which you can send to us.

  • IdP x509 Certificate
  • IdP Entity ID (Also referred to as the Issuer)
  • IdP SingleSignOnService URL (The SP Initiated Login URL)
  • IdP SingleLogoutService URL (Optional URL that we’ll redirect the browser to on sign-out to perform Single Logout on the IdP)
  • SAML Assertion Attribute Names (The attribute names as it will appear in the SAML Assertion)
    • First name
    • Last name
    • Email

Once your domain is configured with the settings you've provided above, you can obtain the below Service Provider settings in the SP Metadata XML file, which you can download from the Domains Settings page of the relevant domain in your Skilljar Dashboard.

xmldownload.png

  • SP Entity ID (This will be your training sites URL, e.g., https://example.company.com/. Note, the trailing slash is required)
  • SP x509 Certificate (Optional, used to verify the SP’s request signature)
  • AssertionConsumerService URL (Your training sites unique endpoint where the IdP will send the SAML Assertion)
  • SingleLogoutService URL (Optional, your training sites unique logout URL which can be configured in your IdP to logout the user from Skilljar when Single Logout is initiated by the IdP)
  • NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  

How it works

SAML 2.0 is an XML-based SSO standard for authentication involving two parties: the Service Provider (in this case, your Skilljar training site) and your Identity Provider. With SAML 2.0 configured on your domain, Skilljar (the Service Provider) relies on the Identity Provider to authenticate your users, and on successful authentication, the Identity Provider passes a SAML assertion (containing the user’s identity) to Skilljar. Here are the two ways SAML 2.0 works as a SSO standard:

Service Provider Initiated Sign On

In this scenario, the user begins the SSO flow from the Service Provider (your Skilljar training site):

  1. On sign in, Skilljar redirects the browser sending a SAML request to the configured SingleSignOnService URL where the user will be prompted to sign in if they aren’t already authenticated
  2. On successful sign in, the Identity Provider will then redirect a SAML assertion (containing the user’s identity) back to Skilljar (specifically, the configured AssertionConsumerService URL)
  3. Skilljar will then parse and process the SAML Assertion and sign the user into your training site

SAML_2.0__SP_Initiated_SignOn__1_.png

Identity Provider Initiated Sign On

In this scenario, authenticating into the Service Provider (your Skilljar training site) begins in the Identity Provider.  In this explanation, the user is already authenticated with the Identity Provider.

  1. The user will typically click on a link within your Identity Provider, which is the IdP Initiated SSO URL specific to the Service Provider. The Identity Provider generates the SAML Assertion (containing the user’s identity) and sends it back to Skilljar (specifically, the AssertionConsumerService URL).
  2. Skilljar will then parse and process the SAML Assertion and sign the user into your training site.

SAML_2.0__IdP_Initiated_SignOn__1_.png

Troubleshooting

Troubleshooting SSO can be difficult, so understanding how it works and where in the flow things are breaking can be hugely beneficial in debugging.

Misconfigurations in the settings are typically the root cause – start here when dealing with SSO issues.

Capturing the network requests/responses using the browser’s developer tools can also help pinpoint where in the SSO flow things are breaking.

For example, if the SAML flow errors on the initial redirect to the SingleSignOnService URL, it’s likely that there’s a misconfiguration with either the SP Entity ID or the SingleSignOnService URL itself.

If the SSO flow breaks after the user signs in through the Identity Provider, it’s likely that there’s a setting misconfiguration with the AssertionConsumerService URL, IdP Entity ID (Issuer), Identity Provider’s x509 certificate, or possibly the user doesn’t have the right permissions to access Skilljar.

These are just some things to keep in mind when troubleshooting SSO issues.

Finally, we’re always here to help! You can reach out to Skilljar's Product Support Team (support@skilljar.com) and we can quickly escalate your issue up to our engineers. Additionally, the more information you can provide to us, the better we can help (screenshots, test logins, HAR file).

Powered by Zendesk