1. Absorb Help Center
  2. Absorb LMS Knowledge Base
  3. Portal Settings
  4. Absorb SSO Settings
  5. General SSO Information

Outgoing SAML 2.0 Single Sign-On

Updated

Single Sign-On (SSO) processes can simplify how Users log in to a system. Establishing an SSO process with Absorb allows your Users a single point of entry into your system while providing them access to multiple other independent systems. Outgoing Single Sign-On enables Users to log in to an external site from the Learner Interface without the need to log in a second time.

This article discusses the Service Provider Initiated SAML 2.0 SSO method for outgoing SSO. Absorb acts as the Identity Provider (IdP), and the external service acts as the Service Provider (SP).

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.

Disclaimer

Absorb LMS supports Outgoing SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side solution. Although many Service Providers generally work with our implementation of SAML SSO, it is the client's responsibility to configure, develop, and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with SSO. This guide is provided to our clients as a convenience only, based on our experience working with clients who employ outgoing SSO.

 

Setting Up SSO in Absorb

This section outlines how to set up a new outgoing SSO connection in Absorb. The supported SSO configuration path is now Client Settings through the SSO card, where the setup is presented in a guided, wizard-style flow. The legacy Manage SSO Settings button under Portal Settings may still appear, but it redirects to the newer configuration experience.

  1. Log in to the Admin Experience as a System Admin, then navigate to Client Settings.

     

  2. Open the SSO card to start a new configuration or manage an existing one.

     

  3. If you instead navigate to Portal Settings and click Manage SSO Settings, Absorb redirects you to Client Settings so you can continue setup from the newer SSO experience.

    Legacy Manage SSO Settings button in Portal Settings that redirects to the new SSO configuration experience.
     

  4. Click Add Configuration to create a new SSO configuration.


     

  5. In the Connection Type step, enter a Name for the SSO connection. This name is only visible to Admins.
    • In the Method field, select SAML.

    • In the Mode field, select Service Provider Initiated Outbound.

      Service Provider Initiated Outbound.png
       

  6. In the Configuration step, provide your Service Provider's X509Certificate public key in the Key field.

    • You can either enter the key manually or click Upload Certificate to upload a key file and let Absorb extract the key automatically.
    • If you enter the key manually, remove spaces, line breaks, and any BEGIN or END text first.
    image-20260213-205439.png

     

  7. In the ID Property field, select the option corresponding to the User Profile field that Absorb should send as the NameID in the SAML assertion. This should be a unique identifier for Learners.


     

  8. The Assertion Consumer Service URL can be left blank, because it should be provided to Absorb through the SAML request. You can hard-code a ACS URL in this field if recurring issues arise.

     

  9. Set the Signature Type to the value expected by your service or website.


     

  10. Decide whether to enable Include User Data.

    1. If this option is OFF, no attributes are included in the response, and there is no AttributeStatement.
    2. If this option is ON, Absorb appends the following LMS attributes to the SAML response in the AttributeStatement:
      • FirstName
      • LastName
      • Email
      • UserId
      • Username
      • UserExternalId
      • EmployeeNumber
      • JobTitle
      • DepartmentId
      • DepartmentName
      • ExternalDepartmentId
      • IsAdmin


     

  11. Choose whether to enable Include Custom Fields.

    • This option allows you to include any custom User Fields in your Portal as attributes returned in the SAML response.
    • This field is only visible if Include User Data is ON.


     

  12. Review the remaining values in the wizard, then Save.

 

Key Upload Troubleshooting

If a key file upload does not populate the Key field as expected, reattempt the upload or enter the key manually using the new SSO settings interface.

 

SSO Process Overview

This section outlines the requests and responses exchanged between a User, Absorb, and the SAML Service Provider during an outgoing SSO request.

Note: To enlarge thumbnail images, right-click the image and select Open image in new tab.

Diagram showing the outgoing SSO request and response flow between the learner, Absorb, and the SAML service provider.

 

In the following steps, the SSO process is outlined in further detail:

  1. A Learner signs in to Absorb by entering their username and password or through incoming SSO.
  2. The Learner clicks a Dashboard tile or navigates to a Course Lesson Object that contains the outgoing Service Provider Initiated URL.
    • A Dashboard Tile can be created in the Templates section of the Admin Experience.
    • A Course Lesson Object can be created by any Admin with permission to create or modify Courses: Absorb Admin > Courses > Courses > Add Online Course > Syllabus > Add Learning Object > Object > Add URL into Source field.
    • More information about Learning Objects can be found in the article here.
  3. Absorb redirects the Learner to the Service Provider Initiated URL.
  4. The Service Provider sends an HTTP POST message with a signed SAML request, signed with the Service Provider's private key, to the Absorb portal at the following URL: https://company.myabsorb.com/Account/SamlRequest.
    • A RelayState variable can also be added in the POST message when special functionality is needed, such as launching a course directly.
  5. Absorb authenticates the SAML request using the configured X509Certificate public key. If authentication fails, an appropriate error message is sent back to the Service Provider.
  6. Absorb sends a signed SAML response, signed with Absorb's private key, to the Service Provider. The SAML response contains the Learner's Id Property as the NameID value, and other user attributes if Include User Data is enabled.
  7. The Service Provider uses Absorb's public key to verify the response.
  8. The Service Provider handles the response appropriately, either by logging the User in or by handling the User's information another way as programmed by the Service Provider.

 

Service Provider Configuration (Metadata)

The following details may be relevant for proper configuration of a Service Provider:

  • Absorb's IdP Metadata. This includes the entity ID for your Absorb Portal and the URL used to POST the SAML request. See the metadata section below.
  • Absorb's Public Key to authenticate the SAML response. This x509 public certificate is found in the IdP metadata.
  • Binding. Absorb supports HTTP Redirect binding. HTTP POST binding is only available by enabling an additional toggle to allow session cookies in a third-party context. This option is not recommended because it reduces portal security.

 

Absorb's IdP Metadata

The metadata files below can be used when configuring the external Service Provider to trust Absorb as the Identity Provider.

Important

You will need to replace the three occurrences of company.myabsorb.com in the metadata with your LMS URL. These locations are:

  1. The Entity ID at the top.
    Entity ID location in the Absorb metadata file.
  2. The binding for HTTP POST at the bottom.
    HTTP POST binding location in the Absorb metadata file.
  3. The binding for HTTP Redirect at the bottom.
    HTTP Redirect binding location in the Absorb metadata file.

Please note that Absorb metadata is not specific to any client portal, which means there are generic URLs that must be edited before you can use it.

 

Production Metadata

Download the IdP metadata for the Production environment by clicking here.

Sandbox Metadata

Download the IdP metadata for the Sandbox environment by clicking here.

 

Appendix

This section includes additional notes related to outgoing SSO integrations and related functionality.

  • If your Service Provider hosts your Courses and you want to send course completions back to Absorb, this can be done using our RESTful API. You can find our RESTful API documentation here. Please note that the RESTful API requires the purchase of a RESTful API license and key.
  • Inbound and outbound SSO can be used together. Inbound can be used for SSO login to Absorb, and outgoing SSO can be used for login to a third-party site. Find our Incoming SSO documentation here.
Was this article helpful?
1 out of 2 found this helpful

Comments

0 comments

Article is closed for comments.

Related articles

Related articles

Attachments (2)