Configuring SAML 2.0 for Single Sign-On (SSO)

by Skilljar SSE Team
Follow

You can use Security Assertion Markup Language 2.0 (SAML 2.0) as a single sign-on (SSO) method for your courses, which can be managed on your training site. In this article, we'll explain how to set up SAML 2.0 for SSO, as well as how it works and general troubleshooting. 

Contents

Overview

By using the SAML 2.0 as an SSO method, Skilljar acts as SAML Service Provider (SP) and will rely on your SAML Identity Provider (IdP) to authenticate your users.

When enabled, your users will no longer see the native Skilljar sign-in/sign-up pages, and will instead be redirected to the configured SingleSignOnService web address.

Setup

To set up and manage your training site to use SAML 2.0 for SSO will require working with your dedicated Implementation Manager, CSM, or Skilljar Support.

To get started, you'll need to provide the following Identity Provider settings to Skilljar. This information is typically included in the IdP Metadata XML file, which you can send to us.

Note: URL = web address

  • IdP x509 Certificate
  • IdP Entity ID (Also referred to as the Issuer)
  • IdP SingleSignOnService URL (The SP Initiated Login URL)
  • IdP SingleLogoutService URL (Optional the IdP's SLO URL, which we'll make a SAML logout request to when the user signs out of Skilljar)
  • SAML Assertion Attribute Names (The attribute names as they will appear in the SAML Assertion)
    • First name
    • Last name
    • Email

Once your domain is configured with the settings you've provided above, you can find the SP settings in the SP Metadata XML file, which you can download from the Domains Settings page of the relevant domain in your Skilljar Dashboard.

xmldownload.png

  • SP Entity ID (This will be your training site web address, for example, https://example.company.com/. Note, the slash (/) at the end of the dress is required)
  • SP x509 Certificate (Optional, used to verify the SP’s request signature)
  • AssertionConsumerService URL (Your training site's unique endpoint where the IdP will send the SAML Assertion)
  • SingleLogoutService URL (Optional, when SLO is initiated by the IdP, this is your Skilljar training site's unique logout web address, which can be managed in your IdP to make a GET request to log the user out from Skilljar.)
  • NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Note: Skilljar requires the Assertion of the Response to be signed.

How it Works

SAML 2.0 is an XML-based SSO standard for authentication involving two parties:

  • The Service Provider (in this case, your Skilljar training site)
  • Your Identity Provider.

With SAML 2.0 on your domain, Skilljar (the Service Provider) relies on the IdP to authenticate your users, and if successful, the IdP sends a SAML assertion (including the user’s identity) to Skilljar. Here are the two ways SAML 2.0 works as an SSO standard:

Service Provider Initiated Sign On

In this example, the user begins the SSO flow from the Service Provider (your Skilljar training site):

  1. On sign-in, Skilljar redirects the browser sending a SAML request to the SingleSignOnService URL where the user will be asked to sign in if they aren’t already authenticated
  2. On successful sign-in, the Identity Provider will then redirect a SAML assertion (including the user’s identity) back to Skilljar (specifically, the configured AssertionConsumerService URL)
  3. Skilljar will then analyze and process the SAML Assertion and sign the user into your training site

SAML_2.0__SP_Initiated_SignOn__1_.png

Identity Provider Initiated Sign-On

In this example, authenticating into the Service Provider (your Skilljar training site) begins in the Identity Provider. In this explanation, the user is already authenticated with the Identity Provider.

  1. The user will typically click on a link within your Identity Provider, which is the IdP Initiated SSO web address specific to the Service Provider. The Identity Provider generates the SAML Assertion (including the user’s identity) and sends it back to Skilljar (specifically, the AssertionConsumerService URL).
  2. Skilljar will then analyze and process the SAML Assertion and sign the user into your training site.

SAML_2.0__IdP_Initiated_SignOn__1_.png

Troubleshooting

Troubleshooting SSO can be difficult, so understanding how it works and where things are breaking within the flow can be beneficial in debugging. These are just some things to keep in mind when troubleshooting SSO issues:

  • Misconfigurations in the settings are typically the root cause – start here when dealing with SSO issues.
  • Capturing the network requests/responses using the browser’s developer tools can also help pinpoint where in the SSO flow things are breaking.
  • For example, if the SAML flow errors on the initial redirect to the SingleSignOnService URL, it’s likely that there’s a misconfiguration with either the SP Entity ID or the SingleSignOnService URL itself. 
  • If the SSO flow breaks after the user signs in through the Identity Provider, it’s likely that there’s a setting misconfiguration with the AssertionConsumerService URL, IdP Entity ID (Issuer), Identity Provider’s x509 certificate, or possibly the user doesn’t have the right permissions to access Skilljar.

Salesforce Integration

You can also manage various SAML 2.0 for SSO settings for your Salesforce integration, such as changing the session inactivity timeout period. For more information, please see the Salesforce help center article.

 

Need Support? 

If you have issues or questions about Skilljar and your training site, please don't hesitate to reach out to Skilljar Support. The more information you can provide to us, the better we can help, so please send us screenshots, test logins, HAR files and anything you feel will help.

Powered by Zendesk