The main purpose of establishing a Single Sign On (SSO) process with Absorb is to allow your users a single point of entry into your system while providing them access to multiple other independent systems. With this process a user logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords.
This article discusses Incoming SAML 2.0 SSO for clients using OneLogin and presents a somewhat abridged and focused version of our full Incoming SAML 2.0 Single Sign-On article. For the purposes of this article the Absorb system will act as the Service provider (SP). Your OneLogin instance will act as the Identity Provider (IdP).
Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.
Disclaimer: Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although OneLogin is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with your particular OneLogin instance. This guide is provided to our clients as a convenience only, based on our past experience working with clients who employ OneLogin.
The first half of configuration will take place in the OneLogin admin portal.
- Log in to OneLogin and go to Apps > Add Apps.
- Search for Absorb LMS. Select the "SAML2.0" version.
- On the initial Configuration tab, click Save to add the app to your Company Apps and display additional configuration tabs.
- On the Configuration tab, enter the following into the SAML Consumer URL field (replace company.myabsorb.com with your portal URL). This value tells OneLogin where to send the SAML message in Absorb.
https://clientname.myabsorb.com/Account/SAML (legacy interface) or https://clientname.myabsorb.com/api/rest/v2/authentication/saml (current interface)
- On the Parameters tab, map Absorb user attributes to OneLogin attributes.
- On the Access tab, assign the OneLogin roles that should have access to Absorb and provide any app security policy that you want to apply to Absorb.
You can also go to Users > All Users to add the app to individual user accounts, and return to this app configuration page to complete SSO configuration.
- Click Save.
- On the SSO tab, copy the following SAML values that you'll need to configure in Absorb (you may find it useful to open the Absorb admin portal in a separate tab at this point, and copy/paste the values in based on the Absorb Setup section further down in this article).
• 509 Certificate: This value will be added to the Key field in Absorb setup. To copy the X.509 certificate, click View Details. Then, click the Copy to Clipboard icon for the X.509 Certificate.
If you want to use a different certificate, go back to the SSO tab, click Change, select the new certificate, and follow the above instructions. Alternatively, you can create an entirely new X.509 certificate for selection by going to Settings > Certificates and clicking New.
• SAML 2.0 Endpoint: This URL value will be added to the Login URL field in Absorb setup.
Note that you can also grab these values from the IdP metadata, the URL for which is available under the Issuer URL field.
Login to the Absorb admin portal as a System Admin and navigate to Portal Settings. From Portal Settings, there is a button in the right-side context menu labelled Manage SSO Settings. If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.
Once you have clicked the button, you will be brought to the Manage Single Sign-On Settings page. Any existing configurations will appear here, as well as the option to Add a new one.
Click Add and fill in the fields as shown below.
- The ‘Key’ field should contain the x509 certificate that you copied in Step 8. Ensure that nothing but the certificate value is included, removing "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" as well as any line breaks or spaces.
- The ‘Id Property‘ should match whatever Absorb parameter was mapped in Step 5 – usual email address.
- The ‘Login URL’ should be the 'SAML 2.0 Endpoint' value from Step 8.
- The 'Logout URL' can be whatever you like – this is the URL users will be directed to after logged out of Absorb (can also be left blank which just redirects to Absorb login page).
- Set Automatically Redirect as desired.
- Verify that your Absorb user has the same email address as your OneLogin account, or create a test user that does.
- Make sure you are logged out of Absorb.
- Give yourself or your test user access to the Absorb app in OneLogin.
- Log in to OneLogin.
- Click the Absorb icon on your OneLogin dashboard.
If you are able to access Absorb, then your configuration is correct.