Outgoing SAML 2.0 Single Sign-On


Applies to: Pro, Plus, & Enterprise Plans


Absorb Outgoing Single Sign-On (SSO) enables users to log into an external site from the Absorb Learner Interface without the need to login a second time.
We support Service Provider Initiated SAML 2.0. SSO method for outgoing SSO. Absorb acts as Identity Provider and the external site acts as Service Provider.
SAML 2.0 is a web-based single sign-on (SSO) method of authenticating users; it uses the XML standard for exchanging users data between an Identity Provider i.e. Absorb and Service Provider i.e. external site.
There are various pieces of information that need to be exchanged in order to setup SSO, described in the following sections of this article.




Variables Description Requirement
Portal URL This is the URL where your Absorb LMS is hosted - please contact us if you do not know this. This URL usually configured as part of your initial LMS onboarding.
e.g. https://companyname.myabsorb.com OR https://some.custom.url
Key The key is the x509 public certificate that is used to sign the SAML request. You must configure Absorb with your public key so that Absorb can verify your signed SAML requests. Mandatory
Id Property (Unique Identifier) A unique identifier field chosen in the Absorb LMS to be used as the identifying NameID through the SAML assertion. Absorb can be configured to use the following as the Id Property:
  • UserId (Absorb)
  • Username
  • Email Address
  • External Id
  • Employee Number
Service Provider Endpoint URL Absorb uses the Assertion Consumer Service URL from SAMLRequest to POST the SAML Response.

If the client's SAML request's AssertionConsumerServiceUrl property is missing/incorrect, this value can be defined for all requests by configuring it under Portal Settings (see below).
Service Provider Initiated URL We require the Services Provider URL to initiate SSO. We can initiate the SSO from two different locations on Absorb learner site:
  • Dashboard Tile
  • Course Lesson – If SP site hosts courses, you can send us different URLs to point to different courses on your site.
The Key, Id Property, and (optionally) Assertion Consumer Service Url can be configured by contacting Absorb support at support@absorblms.com.


How it Works

  1. User logs on to Absorb. User signs into Absorb by entering their assigned Username & Password or by an incoming SSO.

  2. User clicks on the Absorb outgoing SSO Dashboard tile OR navigates to an Absorb SSO course lesson object, either of which have the outgoing SSO URL (Service Provider Initiated URL) embedded in them. The creation of the dashboard tile will need to be performed by requesting one with Absorb Support. The course object lesson can be created by any client admin user with permission to create/modify courses: 

    Absorb Admin Site > Courses > Courses > Add Online Course > Syllabus > Add Learning Object > Object > Add URL into Source field 

  3. Absorb redirects user to Service Provider Initiated URL.

  4. Service provider sends a HTTP POST message with a signed SAML Request (signed with the Service Provider's private key) to Absorb at the following URL: 

    (where company.myabsorb.com = Client's Portal URL)

    A relayState variable can also be added in the POST message (for when Absorb special functionality is needed i.e. launching a course directly) 

  5. Once the SAML Request is sent to Absorb, we will authenticate the request using the public key configured in Portal Settings (see Setup section).

    If the authentication fails an appropriate error message will be sent back to the requester (in this case back to the Service Provider). 

    If successful go to step 6. 

  6. Absorb sends signed SAML Response (signed with Absorb's private key) to Service Provider. The SAML Response will contain the Id Property of user being authenticated as the NameId property and other user attributes mentioned above.

  7. The service provider will use Absorb's public key (see Service Provider Configuration below) to verify the response. 

  8. If successful the user will be logged into the Service Provider’s site.

Service Provider Configuration

We will provide the following details for configuration on your end:

  1. IdP Metadata – This includes entity ID for your Absorb portal, and URL to POST SAML Request. See Metadata section below.

  2. Public key to authenticate SAML Response (x509 public certificate found in the IdP Metadata mentioned above).

  3. Id Property will be passed as NameID in SAMLResponse.

  4. We also send the below Attributes in the SAML Response that can be used on your end to create a new user profile if it doesn't exist:
              • FirstName
              • LastName
              • Email
              • UserId
              • Username
              • UserExternalId
              • EmployeeNumber
              • JobTitle
              • DepartmentId – Absorb ID for User’s Department
              • DepartmentName
              • ExternalDepartmentId – Department’s External ID
              • IsAdmin – If user is an administrator.

  5. Binding - We support HTTP POST binding.


Metadata is used to ensure a secure transaction between an identity provider and a service provider. 

Absorb’s IdP Metadata

<?xml version="1.0" encoding="UTF-8" ?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://subdomain.myabsorb.com">
	<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:KeyDescriptor use="signing">
			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.myabsorb.com/account/samlrequest"/>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.myabsorb.com/account/samlrequest"/>


  1. If your service provider hosts your courses and you want to send course completions back to Absorb, this can be done using our RESTful API.

    You can find our RESTful API documentation here. Please note that the RESTful API requires the purchase of a RESTful API license and key.

  2. Our inbound and outbound SSO can be used together. Inbound for SSO login to Absorb, and outgoing SSO for login to third party site. Check out our Incoming SSO options here.
Published on
Have more questions? Submit a request


Article is closed for comments.