Configuring SAML 2.0 Single Sign-On (SSO) for the Skilljar Dashboard

Avatar
by Skilljar SSE Team
Follow

Overview

Skilljar supports SAML 2.0 as a Single Sign On method that can be configured on your Skilljar Dashboard. In this method, Skilljar will act as the SAML Service Provider (sometimes referred to as a relying party or connected app), and will rely on your SAML Identity Provider to authenticate your dashboard users. When enabled, your dashboard users will have the option of signing into the Skilljar Dashboard through the Skilljar Dashboard native sign-in page as well as your configured SingleSignOnService URL.

NOTE: At this time, Skilljar only supports SAML 2.0 as the authentication type for Dashboard access.

Setup

Configuring your Skilljar Dashboard to use SAML 2.0 for Single Sign On will require working with your dedicated Implementation Manager, CSM, or Skilljar’s Product Support Team.

To get started, here’s a list of the Identity Provider settings you’ll need to provide to Skilljar. This information is typically included in the IdP Metadata XML file which you can send to us.

  • IdP x509 Certificate
  • IdP Entity ID (Also referred to as the Issuer)
    IdP SingleSignOnService URL (The SP Initiated Login URL)
  • IdP SingleLogoutService URL (Optional URL that we’ll redirect the browser to on sign-out to perform Single Logout on the IdP)
  • SAML Assertion Attribute Names (The attribute names as it will appear in the SAML Assertion)
    • First name
    • Last name
    • Email

Once we’ve configured your Skilljar Dashboard with the settings above, we’ll send you the Service Provider Metadata XML file which will contain the necessary configurations to complete the setup on your end.

  • SP Entity ID (Unique to your Skilljar Dashboard’s SSO configuration)
  • SP x509 Certificate (Optional, used to verify the SP’s request signature)
  • AssertionConsumerService URL (Your Skilljar Dashboard’s unique endpoint where the IdP will send the SAML Assertion)
  • NameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

 

How it works

SAML 2.0 is an XML-based SSO standard for authentication involving two parties: the Service Provider (in this case, your Skilljar Dashboard) and your Identity Provider. With SAML 2.0 configured on your Skilljar Dashboard, your admins will have the option of either signing in through your SSO provider or through the Skilljar Dashboard’s native sign-in page.

dashboard_sign_in_page.png

Here are the two ways SAML 2.0 works as a SSO standard:

Service Provider Initiated Sign On

In this scenario, your admin begins the SSO flow from the Service Provider (your Skilljar Dashboard)

  1. On sign in, Skilljar redirects the browser sending a SAML request to the configured SingleSignOnService URL where the user will be prompted to sign in if they aren’t already authenticated.
  2. On successful sign in, the Identity Provider will then redirect a SAML Assertion (containing the user’s identity) back to Skilljar (specifically, the configured AssertionConsumerService URL)
  3. Skilljar will then parse and process the SAML Assertion and sign the user into your Skilljar Dashboard.

SAML_2.0__SP_Initiated_SignOn__1___1_.png

Identity Provider Initiated Sign On

In this scenario, authenticating into the Service Provider (your Skilljar Dashboard) begins in the Identity Provider. In this explanation, the admin is already authenticated with your Identity Provider.

  1. The admin will typically click on a link within your Identity Provider, which is the IdP Initiated SSO URL specific to the Service Provider. The Identity Provider generates the SAML Assertion (containing the user’s identity) and sends it back to Skilljar (specifically, the AssertionConsumerService URL).
  2. Skilljar will then parse and process the SAML Assertion and sign the user into your Skilljar Dashboard.

SAML_2.0__IdP_Initiated_SignOn__1___1_.png

Troubleshooting

Troubleshooting SSO can be difficult, so understanding how it works and where in the flow things are breaking can be hugely beneficial in debugging.

Misconfigurations are typically the root cause – start here when troubleshooting SSO issues and errors.

Capturing the network requests/responses using the browser’s developer tools can also help pinpoint where in the SSO flow things are breaking.

For example, if the SAML flow errors on the initial redirect to the SingleSignOnService URL, it’s likely that there’s a misconfiguration with either the SP Entity ID or the SingleSignOnService URL itself.

If the SSO flow breaks after the user signs in through the Identity Provider, it’s likely that there’s a setting misconfiguration with the AssertionConsumerService URL, IdP Entity ID (Issuer), Identity Provider’s x509 certificate, or possibly the user doesn’t have the right permissions to access Skilljar.

These are just some things to keep in mind when troubleshooting SSO issues.

Finally, we’re always here to help! You can reach out to Skilljar's Product Support Team (support@skilljar.com) and we can quickly escalate your issue up to our engineers. Additionally, the more information you can provide to us, the better we can help (screenshots, test logins, HAR file).

Powered by Zendesk