- Redirecting users to Absorb with GET or POST variables
- Storing session (token) information about the user between requests. Absorb stores the token in the Session, so the web server must be capable of maintaining the Session between requests.
- Performing cryptographic operations (specifically PBKDF2)
The following variables will need to be determined and configured as part of your SSO implementation.
|Portal URL||This is the URL where your Absorb LMS is hosted - please contact us if you do not know this. This URL usually configured as part of your initial LMS onboarding.
e.g. https://companyname.myabsorb.com OR https://some.custom.url
|SSO Key||This key is used as part of the authentication process and is configurable in Portal Settings. The SSO key can be chosen by the client (usually randomly generated).||Mandatory|
|Id Property (Unique Identifier)||A field chosen in Absorb LMS used to uniquely identify the user. Absorb can be configured to use the following as the Id Property:
|Login URL||This URL is used during the authentication process (see Step 2 in the Process section below).
This is also the URL Absorb LMS redirects to when the user lands directly on the Portal URL and is not authenticated, if Automatically Redirect (see below) is turned on.
|Logout URL||This is the URL Absorb redirects users to when a user logs out of the Absorb system.||Optional|
|Automatically Redirect||This optional function, when turned on forces all users who directly land on the Portal URL to be redirected to the Login URL (This request does not send a token parameter). If not turned on users will land on the default Portal URL.
|token||A random URL Encoded string.||Mandatory|
|id||The unique identifier of the user being authenticated (see Id Property above).||Mandatory|
|key||Generated key unique to this request and user. More information in the Parameters section below.||Mandatory|
|Assigned Routes||This field allows you to search for, and select, any existing routes to assign.||Optional|
With the exception of Portal URL, token, id, and key (all used during the actual authentication process), all of the above variables can be configured by logging into the Absorb admin portal as a System Admin and navigating to Portal Settings. From Portal Settings, there is a button in the right-side context menu labelled Manage SSO Settings. If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.
Once you have clicked the button, you will be brought to the Manage Single Sign-On Settings page. Any existing configurations will appear here, as well as the option to Add a new one.
Each route (Portal URL, e.g. company.myabsorb.com) can have its own set of SSO configuration. Please see this article for more information on route-based SSO. The remainder of this article assumes we're talking about a single SSO configuration.
How it Works
- Redirect the user to URL/Account/ExternalLogin
- The user will be redirected to Login URL with the (GET) query string parameter token along with any other query string parameters that were sent in the original redirect.
- Redirect the user to URL/Account/ExternalLoginCallback with id and key parameters.
- If successful, the user will be logged in. Otherwise the user is redirected back to Login URL with a new token.
Absorb LMS uses the System.Web.HttpServerUtility.UrlTokenEncode method
Absorb LMS uses System.Web.HttpServerUtility.UrlTokenDecode method
PBKDF2(string key, byte salt)
Absorb LMS uses the Rfc2898DeriveBytes class to implement this method. The method looks like this:
Rfc2898DeriveBytes pbkdf2 = new Rfc2898DeriveBytes(key, salt); pbkdf2.IterationCount = 1000; return pbkdf2.GetBytes(24);
Important values to note are the Iteration Count (set to 1000) and the number of bytes to use (24).
UrlTokenEncode(PBKDF2(id + SSOKey, UrlTokenDecode(token)))
The following variables are used in this example:
- Redirect the user to
- User is redirected to
https://<company.com>/authenticate?token= MqsXexqpYRUNAHR_lHkPRic1g1BYhH6bFNVPagEkuaL8Mf80l_tOirhThQYIbfWYErgu4bDwl- 7brVhXTWnJNQ2
- Generate key using:
string idAndKey = "firstname.lastname@example.org" + "7MpszrQpO95p7H"; byte salt = UrlTokenDecode("MqsXexqpYRUNAHR_lHkPRic1g1BYhH6bFNVPagEkuaL8Mf80l_tOirhThQYIbfWYErgu4bDwl -7brVhXTWnJNQ2"); string key = UrlTokenEncode(PBKDF2(idAndKey, salt)); // key = “aE1k9-djZ66WbUATqdHbWyJzskMI5ABS0”;
- Redirect user to
https://<company.myabsorb.com>/email@example.com&key= aE1k9- djZ66WbUATqdHbWyJzskMI5ABS0
Deep Linking and RelayState
Deep linking in terms of the Absorb LMS is the ability to redirect a user to a particular user content page on the Absorb LMS. This is usually done through a hyperlink that the user would click on.
Absorb supports deep linking through Absorb SSO using one of the protocol’s implementation parameters, the RelayState. The RelayState parameter should be included as part of the final redirect to Absorb at the end of the URL.
The following example illustrates how to structure the RelayState parameter:
Courses: (Online Course)
(Where the blue text portion is the deep link)
Not all Absorb deep links are supported when used in conjunction with Absorb SSO. Absorb supports deep linking into the following LMS content with Absorb SSO:
- Online Course Page
- ILC Page
- Curriculum Page
- Enrolled Courses List
- Courses List (Categories)
- Catalog by Category
- Purchase Page
- Purchase by Category