The main purpose of establishing a Single Sign On (SSO) process with Absorb is to allow your users a single point of entry into your system while providing them access to multiple other independent systems. With this process a user logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords.
This article discusses Incoming SAML 2.0 SSO for clients using Okta and presents a somewhat abridged and focused version of our full Incoming SAML 2.0 Single Sign-On article. For the purposes of this article the Absorb system will act as the Service provider (SP). Your Okta instance will act as the Identity Provider (IdP).
Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.
Disclaimer: Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although Okta is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with your particular Okta instance. This guide is provided to our clients as a convenience only, based on our past experience working with clients who employ Okta.
Note: There is an 'AbsorbLMS' app listed on the Okta Integration Network. This app may work for SSO setup, however is not an official Absorb application and is not directly supported by Absorb.
The first half of configuring this integration will take place in Okta. In SAML terminology, what you will be doing here is configuring Okta (your SAML Identity Provider or “SAML IdP”), with the details of Absorb (the new SAML Service Provider or “SAML SP”).
- Log in to your Okta organization as a user with administrative privileges.
- Click on the blue "Admin" button.
- In the Search box, search for “AbsorbLMS”.
- The search results should show a preconfigured Absorb app. Click on the white “Add” button to add “AbsorbLMS”.
- In Step 1 “General Settings”, enter the ACS url from Absorb’s metadata in the “ACS Url” field. eg. https://company.myabsorb.com/account/saml with company.myabsorb.com replaced with your Portal URL.
- In Step 2 “Assign to People”, select the people you’d like to give access to Absorb. We usually recommend giving access only to a limited list of users at first for testing purposes. You can then go back and open up access to everyone after setup & testing has been completed.
- You will be prompted to “Enter user-specific attributes”. Just click the green “Done” button to keep the defaults.
- Click on “Applications” in the menu:
- Click on “AbsorbLMS” link:
- Click on the “Sign On” tab:
- Okta always sends the Okta Username in the assertion subject. By default, a User’s profile Username is mapped to the Okta Username. This would mean that the User's profile Username will correspond to whatever ID value (unique identifier in Absorb) is chosen in the Absorb Setup section.
If you’d like to change the field being mapped to Okta Username (and by extension the Absorb 'ID' value), click the “Edit” button, choose a different Application username format, and then click “Save”. Note, if you do change the field being mapped to Okta Username, you’ll also need to delete and read the People on the People tab, like in Step 6.
- In IDP initiated mode, if you’d like to configure a static deeplink into Absorb, you can do so by clicking the “Edit” button, setting Default Relay State, and then clicking the “Save” button. You can also dynamically deeplink into Absorb in SP Initiated mode. More about deeplinking is explained in the Deeplinking and RelayState section of our main SAML SSO article.
- Click on the “View Setup Instructions” button.
The details shown on this page will be used to configure SAML in Absorb. The x.509 Certificate in Text Format, Login URL and Logout URL (if applicable) will be used in this configuration.
Login to the Absorb admin portal as a System Admin and navigate to Portal Settings. From Portal Settings, there is a button in the right-side context menu labelled Manage SSO Settings. If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.
Once you have clicked the button, you will be brought to the Manage Single Sign-On Settings page. Any existing configurations will appear here, as well as the option to Add a new one.
Click Add and fill in the fields as shown below.
- The 'Name' representing the SSO Integration.
- The 'Mode' can be Identity Provider Initiated or Service Provider initiated. SP initiated is sometimes preferred since deep links are a little easier to formulate.
- The ‘Key’ field should contain the full x509 certificate (in text format) from step 13.
- The ‘Id Property‘ should match whatever value was chosen in step 11 - usually this is Email or Username.
- The ‘Login URL’ should be the Login URL from step 13.
- The 'Logout URL' can be whatever you like – this is the URL users will be directed to after logged out of Absorb. The Logout URL from step 13 can be used here if you wish.
- Set Automatically Redirect as desired.
- The 'Assigned Routes' that this SSO Integration pertains to.