Your Skilljar training domain can be configured to use OAuth 2.0 to authenticate users for Single Sign-On (SSO). In this scenario, Skilljar acts as the Relying Party, and you must supply an OAuth 2.0 Provider for authentication and authorization.
Don't want to use OAuth 2.0? Go here to see other SSO options!
Single Sign-On configuration is a manual process, and you will work with your Skilljar account manager to configure your domain. Configuration requires providing some standard OAuth 2.0 Provider information to Skilljar, and configuring some settings on your Provider.
What we need from you:
These are the OAuth 2.0 settings you need to provide to Skilljar.
- Client ID: Skilljar's client ID with your Provider.
- Client Secret: Skilljar's client secret with your Provider.
- Authorization URL: Your Provider's authorization endpoint (front-end).
- Access Token URL: Your Provider's access token endpoint (back-end).
- Scope: Space-separated list of scope parameters that Skilljar will send in the authorization request. One example, for retrieving user data from Google, would be "profile email", which means Skilljar would be given authorization to access user data protected by the "profile" and "email" scopes.
- User Data URL: Your Provider's user data endpoint (back-end).
- User Data ID Parameter: Name of the parameter in the user data response which contains the user's ID in your Provider system.
- User Data First Name Parameter: Name of the parameter in the user data response which contains the user's first name.
- User Data Last Name Parameter: Name of the parameter in the user data response which contains the user's last name.
- User Data Email Parameter: Name of the parameter in the user data response which contains the user's email address.
What we'll give you:
These are the OAuth 2.0 settings that Skilljar will provide to you.
- Authorized Origin URL: The URL from which Skilljar will redirect the User to your Provider's authorization endpoint.
- Authorized Redirect URL: The URL to which your Provider will redirect the User upon authorization.
Ensure your redirect URLs are missing a trailing slash.
How it works
Skilljar uses the OAuth 2.0 web server flow, which uses the "authorization code" OAuth 2.0 grant type. This is also known as the three-legged flow, where there is a consumer (Skilljar), a resource owner (the User), and a service provider (your Provider). Here is the basic workflow:
- In the browser: A User lands on a Skilljar-hosted domain owned by your organization, configured for OAuth 2.0 SSO.
- Skilljar redirects the User to your Provider's authorization endpoint, from the authorized origin, with the configured scope.
- The User logs in on your authorization endpoint.
- (Optional) Your Provider may return an OAuth 2.0 consent screen to the User.
- (Optional) On the consent screen, the User approves Skilljar for the permissions tied to the configured scope.
- Your Provider redirects the User to Skilljar's authorized redirect URL with an authorization code.
- Outside of the browser: Skilljar requests an access token from your Provider's access token endpoint.
- Outside of the browser: Your Provider responds with an access token.
- Outside of the browser: Skilljar requests user data from your Provider's user data endpoint, with the access token.
- Outside of the browser: Your Provider responds with a JSON payload containing the User's first name, last name, and email.
- Back in the browser: Skilljar redirects the User to your Skilljar-hosted domain.
If you'd like to learn more about using OAuth 2.0, you can go here to find more information on retrieving data, such as user data, from Google APIs using the OAuth 2.0 web server flow.