Configuring OAuth 2.0 for Single Sign-On (SSO)

Follow

Your Skilljar training domain can be configured to use OAuth 2.0 to authenticate users for Single Sign-On (SSO). In this scenario, Skilljar acts as the Relying Party, and you must supply an OAuth 2.0 provider authorization.

Don't want to use OAuth 2.0? Click here to see other SSO options we support


 

Basic Setup

Single Sign-On configuration is a manual process, and you will work with your Skilljar account manager to configure your domain. Configuration requires providing some standard OAuth 2.0 Provider information to Skilljar, and configuring some settings on your Provider.

 

OAuth 2.0 settings to provide to Skilljar include the following.

  • Client ID: Skilljar's client ID with your Provider.
  • Client Secret: Skilljar's client secret with your Provider.
  • Authorization URL: Your Provider's authorization endpoint (front-end).
  • Access Token URL: Your Provider's access token endpoint (back-end).
  • Scope: Space-separated list of scope parameters that Skilljar will send in the authorization request. One example, for retrieving user data from Google, would be "profile email", which means Skilljar would be given authorization to access user data protected by the "profile" and "email" scopes.
  • User Data URL: Your Provider's user data endpoint (back-end).
  • User Data ID Parameter: Name of the parameter in the user data response which contains the user's ID in your Provider system.
  • User Data First Name Parameter: Name of the parameter in the user data response which contains the user's first name.
  • User Data Last Name Parameter: Name of the parameter in the user data response which contains the user's last name.
  • User Data Email Parameter: Name of the parameter in the user data response which contains the user's email address.
  • (Optional) User Data Groups Parameter: Name of the parameter in the auth response which contains JSON list of StudentGroups for the user

Settings provided by Skilljar include the following:

  • Authorized Origin URL: The URL from which Skilljar will redirect the User to your Provider's authorization endpoint.
  • Authorized Redirect URL: The URL to which your Provider will redirect the User upon authorization.

Ensure the redirect URLs is missing a trailing slash.


 

How it works

Skilljar uses the OAuth 2.0 web server flow, which uses the "authorization code" OAuth 2.0 grant type. This is also known as the three-legged flow, where there is a consumer (Skilljar), a resource owner (the end user), and a service provider (your provider).

Here is the basic workflow:

  1. In the browser: A user lands on a Skilljar-hosted domain owned by your organization, configured for OAuth 2.0.
  2. Skilljar redirects the user to your provider's authorization endpoint, from the authorized origin, with the configured scope.
  3. The user authorizes by logging in.
  4. (Optional) Your provider may return an OAuth 2.0 consent screen to the User.
  5. (Optional) On the consent screen, the user approves Skilljar for the permissions tied to the configured scope.
  6. Your provider redirects the user to Skilljar's authorized redirect URL with an authorization code.
  7. Outside of the browser: Skilljar requests an access token from your provider's access token endpoint.
  8. Outside of the browser: Your provider responds with an access token.
  9. Outside of the browser: Skilljar requests user data from your provider's user data endpoint, with the access token.
  10. Outside of the browser: Your Provider responds with a JSON payload containing the user's first name, last name, and email. The response may also include other custom attributes. 
  11. In the browser: Skilljar redirects the user to your Skilljar-hosted domain.

 

Sending Custom Attributes & Sign-up Fields

Send Skilljar custom user information by creating sign-up fields in Skilljar, and sending this through with the user response:

{email: "person_surname@companya.com", first_name: "Person", last_name: "Surname", custom_attribute_company: "Company A"}`

where "custom_attribute_company" maps to the signup field label in Skilljar.

 

Creating Groups

Create groups automatically within Skilljar by sending in the user response a "groups param" attribute. The Groups Parameter returns the name of the parameter in the auth response which contains JSON list of StudentGroups for the user.

{email: "person_surname@companya.com", first_name: "Person", last_name: "Surname", custom_attribute_company: "Company A", skilljar_groups: ["group1", "group2", "group3"]}

Based on the example above, Skilljar will create 3 groups named "group1" "group2" and "group3" and add the user to those groups when they log in.

 

Pro Tip

If you'd like to learn more about using OAuth 2.0, you can go here to find more information on retrieving data, such as user data, from Google APIs using the OAuth 2.0 web server flow. 

Have more questions? Submit a request

Comments

Powered by Zendesk