This article discusses Incoming Single Sign-On (SSO) for clients using LDAPS. It's important to note that SSO using LDAPS is a different experience from other SSO methods (i.e. SAML 2.0 SSO, Absorb SSO). When using LDAPS users are still prompted to login on the Absorb login page, however the username & password that they enter are checked against the clients LDAP server instead of the Absorb user database. This allows the user to enter the same set of credentials that they may use on multiple other systems, all connected to the same LDAP server. This differs from SAML 2.0 SSO and Absorb SSO methods, where the Absorb login page is bypassed completely.
Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.
The LDAPS authentication feature in Absorb 5 allows users to login to the Learner Interface using credentials stored in a directory service provider (such as Active Directory). This integration requires the client to provide an LDAP server capable of processing standard LDAP BIND requests.
Communication between Absorb and the LDAP server is secured with Secure Socket Layer (SSL) authentication. Please note that once enabled, LDAP authentication will prevent non-LDAP users (i.e. regular Absorb users) from logging in.
The LDAPS authentication flow is described in the following diagram.
Signing on using LDAPS follows this process:
- The learner navigates to your Absorb Portal URL (e.g. mycompany.myabsorb.com).
- The learner enters his/her Active Directory credentials in the regular Absorb login form.
- Absorb connects to your LDAP server's Sign-On URL on port 636 (see Setup section below).
- Absorb authenticates the server using your provided LDAPS Certificate.
- Upon successful authentication Absorb tries to bind credentials provided by the user. The Absorb username is used as the unique identifier when attempting to bind.
- Upon successful binding the user is logged into the Absorb Learner Interface. Note: If unsuccessful the user is prompted with an error message "Invalid Credentials".
Users will be directed to the Absorb sign-in page on logout.
The following pieces of information must be exchanged in order to complete the setup:
- Sign-On URL: Your LDAP server address must be provided to Absorb.
- LDAP Port: Absorb connects on port 636 by default.
- LDAPS Certificate: You must provide Absorb with a signed certificated (Root CA) for server authentication.
- Absorb Portal URL: This URL should be provided to your learners to login. Absorb will provide you with this if you do not already have it.
- IP Address: Absorb will provide you with a list of IP Addresses to whitelist. This will allow Absorb to establish a connection with your LDAP server.
Login to the Absorb admin portal as a System Admin and navigate to Portal Settings. From Portal Settings, there is a button in the right-side context menu labelled Manage SSO Settings. If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.
Once you have clicked the button, you will be brought to the Manage Single Sign-On Settings page. Any existing configurations will appear here, as well as the option to Add a new one.
Click Add and fill in the fields as shown below.
- The ‘Key’ field should contain the full x509 certificate you provided in step 3 under the Setup section above.
- The ‘LDAPS Server URL’ should be the 'Sign-On URL' value from Step 1 under the Setup section above.
- The ‘LDAPS Server Custom Port’ (optional) default value is 636. Do not change unless you are certain the port is different.