Skilljar supports the OAuth 2.0 protocol for SSO, and can be configured on your training site. In this method, Skilljar acts as the client and relies on your OAuth 2.0 authorization provider to authenticate your users, specifically following OAuth 2.0's authorization code flow.
When enabled, your users will no longer see the native Skilljar sign-in pages, and will instead be redirected to your authorization provider to authenticate.
|Note: There can only be one SSO configuration per domain. If you require more SSO configurations, please reach out to our Customer Success team who can coordinate with you on different options.
Configuring your training site to use OAuth 2.0 for SSO will require working with our Customer Success team or Skilljar Support.
- Note: This can take anywhere from 45 minutes to two hours, depending on your organization's IDP configuration. This does not include potential troubleshooting.
To get started, you'll need to provide the following settings to Skilljar:
- client ID (ID uniquely configured for your training site)
- client secret (Password used to make the access token request)
- authorization URL (Endpoint which we'll redirect the browser to make the authorization request)
- access token URL (Endpoint which we'll use to make the access token request)
- scope (List of parameters that Skilljar will send in the authorization code request, which specifies the information we're trying to access)
- UserInfo URL (Endpoint that Skilljar will use to request the user’s information)
- UserInfo parameters
- ID parameter (Name of the parameter in the UserInfo response which contains the user’s unique external ID)
- first name parameter (Name of the parameter in the UserInfo response which contains the user’s first name)
- last name parameter (Name of the parameter in the UserInfo response which contains the user’s last name)
- email parameter (Name of the parameter in the UserInfo response which contains the user’s email address)
- groups parameter (Optional parameter containing a JSON list of student groups the user will belong to)
Here are the settings that Skilljar will provide to you to complete the setup within your provider:
- authorized redirect URL (Skilljar's callback URL, which your authorization server redirects back to)
- authorized origin URL (Optional depending on your provider's settings, this is the endpoint from which Skilljar will redirect the browser to your authorization URL)
Note: Depending on your provider, you may first need the authorized redirect URL (Skilljar's callback URL) in order to provision the client ID and secret.
How it works
Skilljar supports OAuth 2.0’s authorization code flow. At a high level, here’s how that works as it pertains to SSO:
- On sign-in, we’ll redirect the browser to your authorization URL, requesting an authorization code -- and if they aren't already, prompts the user to sign in
- Your authorization server will then redirect the browser back to Skilljar with a response containing the requested authorization code
- Skilljar will then make a request for your access token URL, exchanging the code obtained in Step 2 for an access token
- Your authorization server will then return an access token to Skilljar
- Skilljar then makes a request to your UserInfo URL with the access token obtained in Step 4
- Your server will then return the user’s information in JSON format
Troubleshooting SSO can be difficult, so understanding how it works and where in the flow things are breaking can be hugely beneficial in debugging:
- Misconfigurations are typically the root cause and are the first thing you should check when dealing with SSO issues.
- Capturing the network requests/responses using the browser’s developer tools can also help pinpoint where in the SSO flow things are breaking.
- Since a lot of the OAuth SSO flow happens server side, reviewing your server logs will also be helpful.
- For example, if the OAuth flow errors out on the initial redirect from Skilljar, the client ID configured for Skilljar may be inaccurate.
- Additionally, if the error that surfaces indicates that “there is no email associated with the account...”, it means that the response we received from the User Data request is empty or contains an error.
These are just a few things to keep in mind when troubleshooting SSO issues. Finally, we’re always here to help! You can reach out to Skilljar Support and we can quickly escalate your issue up to our engineers. Additionally, the more information you can provide to us, the better we can help (screenshots, test logins, HAR file).