Configuring OpenID Connect for Single Sign-On (SSO)

Avatar
by Skilljar SSE Team
Follow

Overview

Skilljar supports the OpenID Connect (OIDC) standard for SSO, which can be configured on your training site. In this method, Skilljar acts as the OIDC Relying Party (RP) and relies on your OIDC Provider (OP) to authenticate your users, specifically following the authorization code flow.

When enabled, your users will no longer see the native Skilljar sign-in pages, and will instead be redirected to your OP to authenticate.

 

Setup

Configuring your training site to use OpenID Connect for Single Sign-on will require working with your dedicated Implementation Manager, Customer Success Manager, or Skilljar Support.

To get started you’ll need to provide the following required settings to Skilljar. 

  • client ID (ID uniquely configured for your training site)
  • client secret (Password used to make the token request)
  • authorization URL (Endpoint which we'll redirect the browser to make the authorization request)  
  • token URL (Endpoint which we'll use to make the ID token request)

Optional: Skilljar also supports RP-initiated logout. If you'd like to configure that on your domain as well, please provide the following settings to Skilljar: 

  • logout URL (Endpoint which we'll redirect the browser to make the logout request after clearing the login session in Skilljar) 
  • post logout redirect URL (Endpoint where you want the browser to redirect to after clearing the login session in the OP -- this URL may need to be first whitelisted in your OP) 

Skilljar will provide you with the authorization redirect URL which is your domain's unique callback URL. 

Note: Skilljar does not support OIDC discovery or dynamic registration.

  

How it works

OIDC is an identity layer built on top of the OAuth 2.0 framework and uses standard JSON web tokens (JWT) to pass identity from a OP to a connected application. Skilljar's implementation supports the authorization code flow. At a high level, here’s how it works:

  1. On sign-in, we’ll redirect the browser to your OP Authorization URL, requesting an authorization code — prompting the user to sign-in if they don't already have an active login session
  2. Your OP will then redirect the browser back to Skilljar with a response containing the requested auth code
  3. Skilljar then makes a request to the OP token endpoint, exchanging the code obtained in step #2 for an id_token 
  4. The OP sends Skilljar the id_token, which is a JWT that contains information about the authentication and the user
  5. Skilljar validates the id_token and parses it for the user's information (Note: email address is a required claim as that is the unique identifier within Skilljar). 

OIDC.png

To learn more about this protocol, you can check out the core OIDC specification here

 

Troubleshooting

Troubleshooting SSO can be difficult, so understanding how it works and where in the flow things are breaking can be hugely beneficial in debugging:

  • Misconfigurations are typically the root cause and is the first thing you should check when dealing with SSO issues.
  • Capturing the network requests/responses using the browser’s developer tools can also help pinpoint where in the SSO flow things are breaking.
  • Since half of the OIDC flow happens server side, reviewing your server logs will also be helpful.
  • For example, if the OIDC flow errors out on the initial redirect from Skilljar, it’s possible that the client ID configured for Skilljar is inaccurate.

These are just a few things to keep in mind when troubleshooting SSO issues. Finally, we’re always here to help! You can reach out to Skilljar Support and we can escalate your issue up to our engineers. Additionally, the more information you can provide to us, the better we can help (screenshots, test logins, HAR file).

Powered by Zendesk