Incoming SAML 2.0 Single Sign-On With Auth0

Introduction

The main purpose of establishing a Single Sign On (SSO) process with Absorb is to allow your users a single point of entry into your system while providing them access to multiple other independent systems. With this process a user logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords. 

This article discusses configuration of SSO using Auth0. For the purposes of this article the Absorb system will act as the Service provider (SP). Your Auth0 account will act as the Identity Provider (IdP).  

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution. 

Disclaimer 

Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although Auth0 is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with your Auth0 instance. This guide is provided to our clients as a convenience only, based on our experience working with clients who employ Auth0. 

Table of Contents

 

Part 1: Creating a Client 

See https://auth0.com/docs/clients for more information on creating a client.

Note: To enlarge image thumbnails, right-click on the image and choose to open in a new tab or window.

Step Action Image 
1. Navigate to the Applications page and click Create Application.  applications.png
2. Select Regular Web Applications. Select_Regular_Web_Applications.png


Part 2: Review the Client Settings

Note: To enlarge image thumbnails, right-click on the image and choose to open in a new tab or window.

Step Action Image 
1. Token Endpoint Authentication Method: Post  
2. Allowed Callback URLs: This is the URL where your Absorb LMS is hosted e.g.
https://companyname.myabsorb.com OR https://some.custom.url

 

3. Allowed Logout URLs: This is the URL users will be redirected to when they log out (requires some additional setup, covered later in this guide).

 

4. Scroll to the bottom of the application's page and click on "Show Advanced Settings". scroll_to_the_bottom.png
5. In the expanded window, click on "Certificates" to bring up the Certificates section. Click on the "DOWNLOAD CERTIFICATE"  In the pop up which appears, select the CER certificate format. Save the downloaded file. certificate.png
6. Click on Endpoints to bring up the Endpoints section. 6.png
7. Copy the contents of the "SAML Protocol URL" field. You will need to provide this to Absorb. 7.png
8. Scroll up to the top of the page and click on the "Addons" link. Click the box labeled "SAML2 WEB APP" 8.png
9.

In the "Application Callback URL" field, enter the URL to which the SAML assertions should be sent after the user has been authenticated by Auth0. This URL will follow the format:

https://company.myabsorb.com/api/rest/v2/authentication/saml*

 or 

https://your.custom.url/api/rest/v2/authentication/saml*

9.png
10.

Modify the SAML Settings as appropriate. 

Example configuration:

 

{
"mappings": {
"email": "http:schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
},
"createUpnClaim": false,
"passthroughClaimsWithNoMapping": false,
"mapUnknownClaimsAsIs": false,
"mapIdentities": false,
"signatureAlgorithm": "rsa-sha256",
"digestAlgorithm": "sha256",
"nameIdentifierProbes": [
"http:schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
]
}

10.png

 

Part 3: Absorb Setup

 

Note: To enlarge image thumbnails, right-click on the image and choose to open in a new tab or window.

Step Action Image 
1.

Login to the Absorb admin portal as a System Admin and navigate to Portal Settings. From Portal Settings, there is a button in the right-side context menu labelled Manage SSO Settings. 

If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.

Absorb-setup-1.png
2. Once you have clicked the button, you will be brought to the Manage Single Sign-On Settings page. Any existing configurations will appear here, as well as the option to Add a new one. 
3.   

Click Add and fill in the fields as shown below. 

  • Name the connection something descriptive. This name is only visible to admins. 

  • The Key field should contain the full certificate that you downloaded in Step 5.  
    • Open the CER you downloaded in a text editor (e.g. notepad) 
    • Remove the "----BEGIN CERTIFICATE----" line 
    • Remove the "----END CERTIFICATE----" line 
    • Remove all line breaks (you should be left with a single line of encoded text.) 
    • Copy this information into the Key field in Absorb. 
  • The Id Property should match whatever Absorb parameter you mapped in the SAML configuration in step 10 - usually email address. 

  • The Signature Type will be what you configured as the signatureAlgorithm in Auth0's SAML settings (in the example above, it is Sha256).
     
  • The Login URL should be the 'SAML Protocol URL' value from Step 7 above. 

  • The Logout URL can be left blank or set to the Auth0 logout URL (https:// {your Auth0 domain} /v2/logout).
  • You can specify a returnTo parameter to redirect the user to a specific URL after logout, however the url you choose must also be specified in the "Allowed Logout URLs" in Step 3. You will also need to include your client ID as a parameter:

Absorb Side:

absorb-side-3.png

 AuthO Side:

AuthO-Slide.png

  • Set Automatically Redirect as desired.

    • If enabled, unauthenticated users will be redirected to the Auth0 login screen as soon as they land on your Absorb URL.

    • If disabled, users will see your public dashboard.

  • Assign which routes in your portal you would like to associate with this SSO configuration.

  • Save your configuration.
Auto-Redirect.png
Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.