Configuring OAuth 2.0 for Single Sign-On (SSO)

Avatar
by Skilljar SSE Team
Follow

Overview

Skilljar supports OAuth 2.0 as a Single Sign On method that can be configured on your training site. In this method, Skilljar will act as the OAuth client which will rely on your OAuth 2.0 authorization provider to authenticate your users, specifically following the authorization code flow. When enabled, your users will no longer see the native Skilljar sign-in/sign-up pages, and will instead be redirected to the configured authorization URL.

Setup

Configuring your training site to use OAuth 2.0 for Single Sign On will require working with your dedicated Implementation Manager, Customer Success Manager, or Skilljar’s Product Support Team.

To get started, here’s the list of OAuth 2.0 settings you’ll need to provide to Skilljar:

  • Client ID (ID uniquely configured for your training site)
  • Client Secret (Password used to make the access token request)
  • Authorization URL (Endpoint where we’ll redirect the browser for your users to sign in containing the initial authorization code request)  
  • Access Token URL (Endpoint that Skilljar will use to make the access token request)
  • Scope (List of space-separated parameters that Skilljar will send in the authorization code request)
  • User Data URL (Endpoint that Skilljar will use to request the user’s information)
  • User’s Parameters
    • ID Parameter (Name of the parameter in the User Data response which contains the user’s external ID)
    • First Name Parameter (Name of the parameter in the User Data response which contains the user’s first name)
    • Last Name Parameter (Name of the parameter in the User Data response which contains the user’s last name)
    • Email Parameter (Name of the parameter in the User Data response which contains the user’s email)
    • Groups Parameter (Optional parameter containing a JSON list of student groups the user will belong to)

Here are the settings that Skilljar will provide to you to complete the setup within your IdP interface:

  • Authorized Redirect URL (The callback endpoint which your authorization server will redirect to containing the access token)
  • Authorized Origin URL (Optional depending on your provider settings, this is the endpoint from which Skilljar will redirect the browser to your authorization URL)

Note: Depending on your provider, you may first need the Authorized Redirect URL in order to configure the client ID and secret.

  

How it works

Skilljar supports the OAuth 2.0’s authorization code flow. At a high level, here’s how that works as it pertains to SSO:

  1. On sign-in, we’ll redirect the browser to your Authorization URL requesting an authorization code and prompting the user to sign in
  2. Your authorization server will then redirect the browser back to Skilljar with a response containing the code that was requested in step 1
  3. Skilljar will then make a server side request to your Access Token URL, exchanging the code we received in step 2 for an access token
  4. Your authorization server will then return an access token to Skilljar
  5. Skilljar will then use that access token to make a server side request to your User Data URL
  6. Your server will then return the user’s information in JSON format

 OAuth_2.0__SSO_flow_diagram__1_.png

Troubleshooting

Troubleshooting SSO can be difficult, so understanding how it works and where in the flow things are breaking can be hugely beneficial in debugging.

Misconfigurations are typically the root cause and is the first thing you should check when dealing with SSO issues.

Capturing the network requests/responses using the browser’s developer tools can also help pinpoint where in the SSO flow things are breaking.

Since a lot of the OAuth SSO flow happens server side, reviewing your server logs will also be helpful.

For example, if the OAuth flow errors out on the initial redirect from Skilljar, it’s possible that the client ID configured for Skilljar is inaccurate.

Additionally, if the error that surfaces indicates that “there is no email associated with the account...”, it means that the response we received from the User Data request is empty or contains an error.

These are just a few things to keep in mind when troubleshooting SSO issues. Finally, we’re always here to help! You can reach out to Skilljar's Product Support Team (support@skilljar.comand we can quickly escalate your issue up to our engineers. Additionally, the more information you can provide to us, the better we can help (screenshots, test logins, HAR file).

Powered by Zendesk