SetupSSO settings can be managed in Portal Settings by clicking on the Manage SSO Settings button in Portal Settings.
Once the Manage Single Sign-On Settings page has loaded, you will be presented with all existing SSO setups, as well as the option to add additional instances. This allows Admins to designate multiple outgoing SSO configurations as needed. When adding or managing existing SSO settings, you will be presented with some of the options as explained below:
|Name||The name is an optional field for Admins to customize what individual SSO setups are called. If no name is entered, it will default to the mode used.||Optional|
Admins can choose between two Method options which will determine what other fields are required for setup. The options available are:
|Portal URL||This is the URL where your Absorb LMS is hosted - please contact us if you do not know this. This URL usually configured as part of your initial LMS onboarding.
e.g. https://companyname.myabsorb.com OR https://some.custom.url
|Key||The key is the x509 public certificate that is used to sign the SAML request. You must configure Absorb with your public key so that Absorb can verify your signed SAML requests.||Mandatory|
If the SAML option has been selected for the SSO method, there are three options available to Admins to choose from the Mode drop-down menu:
|Id Property (Unique Identifier)||A unique identifier field chosen in the Absorb LMS to be used as the identifying NameID through the SAML assertion. Absorb can be configured to use the following as the Id Property:
|Login URL||The login URL is the web address that your users need to sign in via in order to be properly authenticated.||Mandatory|
|Logout URL||The URL entered here is where users will be forwarded upon successful logout of the LMS. If left blank, the URL will default to the Absorb login page.||Optional|
|Automatically Redirect||When enabled, this toggle will redirect users attempting to access Absorb unauthenticated to the Login URL. Otherwise, users will land on the login page, or other public-facing page, when not enabled.||Optional|
|Assigned Routes||This field provides any available URLs for your portal as set up by request through Absorb Support, or Client Success Manager. The URL used here will determine where users are directed when authenticated for this SSO setup.||Mandatory|
This field allows Admins to designate the hashing algorithm used to sign outgoing SSO messages. The following signature types are currently supported:
|Include User Data||Admins can opt to send user data in addition to the SAML request by enabling this toggle. Either the standard subset of user field data can be sent, or disabled altogether.||Optional|
|Include Custom Fields||Custom Field data can now be sent alongside the default field set provided the Include User Data toggle is enabled. This field allows Admins to choose from their existing Custom Fields to include.||Optional|
|Assertion Consumer Service URL||This field should be left blank unless your portal's SAML request's AssertionConsumerServiceUrl property is missing or incorrect.||Optional|
|Service Provider Endpoint URL||Absorb uses the Assertion Consumer Service URL from SAMLRequest to POST the SAML Response. If the client's SAML request's AssertionConsumerServiceUrl property is missing/incorrect, this value can be defined for all requests by configuring it under Portal Settings (see below).||Mandatory|
|Service Provider Initiated URL||We require the Services Provider URL to initiate SSO. We can initiate the SSO from two different locations on Absorb learner site:
How it Works
- User logs on to Absorb. User signs into Absorb by entering their assigned Username & Password or by an incoming SSO.
- User clicks on the Absorb outgoing SSO Dashboard tile OR navigates to an Absorb SSO course lesson object, either of which have the outgoing SSO URL (Service Provider Initiated URL) embedded in them. The creation of the dashboard tile will need to be performed by requesting one with Absorb Support. The course object lesson can be created by any client admin user with permission to create/modify courses:
Absorb Admin Site > Courses > Courses > Add Online Course > Syllabus > Add Learning Object > Object > Add URL into Source field
- Absorb redirects user to Service Provider Initiated URL.
- Service provider sends a HTTP POST message with a signed SAML Request (signed with the Service Provider's private key) to Absorb at the following URL:
(where company.myabsorb.com = Client's Portal URL)
A relayState variable can also be added in the POST message (for when Absorb special functionality is needed i.e. launching a course directly)
- Once the SAML Request is sent to Absorb, we will authenticate the request using the public key configured in Portal Settings (see Setup section).
If the authentication fails an appropriate error message will be sent back to the requester (in this case back to the Service Provider).
If successful go to step 6.
- Absorb sends signed SAML Response (signed with Absorb's private key) to Service Provider. The SAML Response will contain the Id Property of user being authenticated as the NameId property and other user attributes mentioned above.
- The service provider will use Absorb's public key (see Service Provider Configuration below) to verify the response.
- If successful the user will be logged into the Service Provider’s site.
Service Provider Configuration
We will provide the following details for configuration on your end:
- IdP Metadata – This includes entity ID for your Absorb portal, and URL to POST SAML Request. See Metadata section below.
- Public key to authenticate SAML Response (x509 public certificate found in the IdP Metadata mentioned above).
- Id Property will be passed as NameID in SAMLResponse.
- We also send the below Attributes in the SAML Response that can be used on your end to create a new user profile if it doesn't exist:
- DepartmentId – Absorb ID for User’s Department
- ExternalDepartmentId – Department’s External ID
- IsAdmin – If user is an administrator.
- User Data – When the "Include User Data" toggle is enabled, a standard subset of user data can be sent. Admins can also include Custom Fields alongside the standard subset as needed.
- Binding - We support HTTP POST binding.
Metadata is used to ensure a secure transaction between an identity provider and a service provider.
Absorb’s IdP Metadata
- If your service provider hosts your courses and you want to send course completions back to Absorb, this can be done using our RESTful API.
You can find our RESTful API documentation here. Please note that the RESTful API requires the purchase of a RESTful API license and key.
- Our inbound and outbound SSO can be used together. Inbound for SSO login to Absorb, and outgoing SSO for login to third party site. Check out our Incoming SSO options here.