Before you continue: If you are using Okta, Auth0, OneLogin, Azure, or any Identity Service with an existing Skilljar app for your (identity provider) IdP, do not use the Skilljar app provided in your Identity Service. Those Skilljar apps are purpose-built for Skilljar training domains (not the dashboard). The Skilljar app will not work for Dashboard SSO. Instead, set up the SSO connection with a custom app. |
Overview
Skilljar supports SAML 2.0 as an SSO method that can be configured on your Skilljar Dashboard. In this method, Skilljar acts as the SAML Service Provider and will rely on your SAML Identity Provider (IdP) to authenticate your dashboard users.
Note: Your dashboard users who have been invited via SSO must log in via their IDP and can’t set their own password to bypass the SSO login. If dashboard users have access to multiple Skilljar organizations when they switch to your organization set up with SSO, they must re-authenticate.
When this is enabled, you will have the option to invite new Dashboard users and set them to authenticate through this SSO Configuration. This is reviewed in Managing and Adding Dashboard Users
Note: At this time, Skilljar only supports SAML 2.0 as the authentication type for Dashboard SSO.
Setup
Configuring your Skilljar Dashboard to use SAML 2.0 for Single Sign-On will require working with our Customer Success team or Skilljar Support.
To get started, here’s a list of the Identity Provider settings you’ll need to provide to Skilljar. This information is typically included in the IdP Metadata XML file which you can send to us.
- IdP x509 Certificate
- IdP Entity ID (Also referred to as the Issuer)
IdP SingleSignOnService URL (The SP Initiated Login URL) - IdP SingleLogoutService URL (Optional URL that we’ll redirect the browser to on sign-out to perform Single Logout on the IdP)
- SAML Assertion Attribute Names (The attribute names as it will appear in the SAML Assertion)
- First name
- Last name
Once we’ve configured your Skilljar Dashboard with the settings above, we’ll send you the Service Provider Metadata XML file which will contain the necessary configurations to complete the setup on your end.
- SP Entity ID (Unique to your Skilljar Dashboard’s SSO configuration)
- SP x509 Certificate (Optional, used to verify the SP’s request signature)
- AssertionConsumerService URL (Your Skilljar Dashboard’s unique endpoint where the IdP will send the SAML Assertion)
- NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
We will also provide you with a SSO Specific Login URL - which will be where you go when trying to log in to the Skilljar dashboard. (e.g https://dashboard.skilljar.com/login/yourcompany/)
Note: Skilljar requires the Assertion of the Response to be signed.
How it Works
SAML 2.0 is an XML-based SSO standard for authentication involving two parties: the Service Provider (in this case, your Skilljar Dashboard) and your Identity Provider. With SAML 2.0 configured on your Skilljar Dashboard, your admins will have the option of either signing in through your SSO provider or through the Skilljar Dashboard’s native sign-in page.
Here are the two ways SAML 2.0 works as a SSO standard:
Service Provider Initiated Sign On
In this scenario, your admin begins the SSO flow from the Service Provider (your Skilljar Dashboard)
- On sign in, Skilljar redirects the browser sending a SAML request to the configured SingleSignOnService URL where the user will be prompted to sign in if they aren’t already authenticated.
- On successful sign in, the Identity Provider will then redirect a SAML Assertion (containing the user’s identity) back to Skilljar (specifically, the configured AssertionConsumerService URL)
- Skilljar will then parse and process the SAML Assertion and sign the user into your Skilljar Dashboard.
Identity Provider Initiated Sign-on
In this scenario, authenticating into the Service Provider (your Skilljar Dashboard) begins in the Identity Provider. In this explanation, the admin is already authenticated with your Identity Provider.
- The admin will typically click on a link within your Identity Provider, which is the IdP Initiated SSO URL specific to the Service Provider. The Identity Provider generates the SAML Assertion (containing the user’s identity) and sends it back to Skilljar (specifically, the AssertionConsumerService URL).
- Skilljar will then parse and process the SAML Assertion and sign the user into your Skilljar Dashboard.
Troubleshooting
Troubleshooting SSO can be difficult, so understanding how it works and where in the flow things are breaking can be hugely beneficial in debugging.
Misconfigurations are typically the root cause – start here when troubleshooting SSO issues and errors:
- Capturing the network requests/responses using the browser’s developer tools can also help pinpoint where in the SSO flow things are breaking.
- For example, if the SAML flow errors on the initial redirect to the SingleSignOnService URL, it’s likely that there’s a misconfiguration with either the SP Entity ID or the SingleSignOnService URL itself.
- If the SSO flow breaks after the user signs in through the Identity Provider, it’s likely that there’s a setting misconfiguration with the AssertionConsumerService URL, IdP Entity ID (Issuer), Identity Provider’s x509 certificate, or possibly the user doesn’t have the right permissions to access Skilljar.
These are just some things to keep in mind when troubleshooting SSO issues.
Finally, we’re always here to help! You can reach out to Skilljar Support and we can quickly escalate your issue to our engineers. Additionally, the more information you can provide to us, the better we can help (screenshots, test logins, HAR file).
Other Notes
If a dashboard user attempts to log in with a username and password and only has access to an SSO-enabled dashboard organization, they will encounter this error: "This Account is setup for SSO authentication. Please login via SSO to access the dashboard."
The user must sign in using their sign-in URL (see above).