Outgoing SAML 2.0 Single Sign-On

Follow

Applies to: Pro, Plus, & Enterprise Plans

Introduction

Absorb Outgoing Single Sign-On (SSO) enables users to log into an external site from the Absorb Learner Interface without the need to login a second time.
 
We support Service Provider Initiated SAML 2.0. SSO method for outgoing SSO. Absorb acts as Identity Provider and the external site acts as Service Provider.
 
SAML 2.0 is a web-based single sign-on (SSO) method of authenticating users; it uses the XML standard for exchanging users data between an Identity Provider i.e. Absorb and Service Provider i.e. external site.
 
There are various pieces of information that need to be exchanged in order to setup SSO, described in the following sections of this article.
 

Contents:

 

Setup

Variables Description Requirement
Portal URL This is the URL where your Absorb LMS is hosted - please contact us if you do not know this. This URL usually configured as part of your initial LMS onboarding.
e.g. https://companyname.myabsorb.com OR https://some.custom.url
Mandatory
Key The key is the x509 public certificate that is used to sign the SAML request. You must configure Absorb with your public key so that Absorb can verify your signed SAML requests. Mandatory
Id Property (Unique Identifier) A unique identifier field chosen in the Absorb LMS to be used as the identifying NameID through the SAML assertion. Absorb can be configured to use the following as the Id Property:
  • UserId (Absorb)
  • Username
  • Email Address
  • External Id
  • Employee Number
Mandatory
Service Provider Endpoint URL Absorb uses the Assertion Consumer Service URL from SAMLRequest to POST the SAML Response.

If the client's SAML request's AssertionConsumerServiceUrl property is missing/incorrect, this value can be defined for all requests by configuring it under Portal Settings (see below).
Mandatory
Service Provider Initiated URL We require the Services Provider URL to initiate SSO. We can initiate the SSO from two different locations on Absorb learner site:
  • Dashboard Tile
  • Course Lesson – If SP site hosts courses, you can send us different URLs to point to different courses on your site.
Mandatory
 
The Key, Id Property, and (optionally) Assertion Consumer Service Url can be configured by contacting Absorb support at support@absorblms.com.

 

How it Works

  1. User logs on to Absorb. User signs into Absorb by entering their assigned Username & Password or by an incoming SSO.

  2. User clicks on the Absorb outgoing SSO Dashboard tile OR navigates to an Absorb SSO course lesson object, either of which have the outgoing SSO URL (Service Provider Initiated URL) embedded in them. The creation of the dashboard tile will need to be performed by requesting one with Absorb Support. The course object lesson can be created by any client admin user with permission to create/modify courses: 

    Absorb Admin Site > Courses > Courses > Add Online Course > Syllabus > Add Learning Object > Object > Add URL into Source field 

  3. Absorb redirects user to Service Provider Initiated URL.

  4. Service provider sends a HTTP POST message with a signed SAML Request (signed with the Service Provider's private key) to Absorb at the following URL: 

    https://company.myabsorb.com/Account/SamlRequest 
    (where company.myabsorb.com = Client's Portal URL)

    A relayState variable can also be added in the POST message (for when Absorb special functionality is needed i.e. launching a course directly) 

  5. Once the SAML Request is sent to Absorb, we will authenticate the request using the public key configured in Portal Settings (see Setup section).

    If the authentication fails an appropriate error message will be sent back to the requester (in this case back to the Service Provider). 

    If successful go to step 6. 

  6. Absorb sends signed SAML Response (signed with Absorb's private key) to Service Provider. The SAML Response will contain the Id Property of user being authenticated as the NameId property and other user attributes mentioned above.

  7. The service provider will use Absorb's public key (see Service Provider Configuration below) to verify the response. 

  8. If successful the user will be logged into the Service Provider’s site.


Service Provider Configuration

We will provide the following details for configuration on your end:

  1. IdP Metadata – This includes entity ID for your Absorb portal, and URL to POST SAML Request. See Metadata section below.

  2. Public key to authenticate SAML Response (x509 public certificate found in the IdP Metadata mentioned above).

  3. Id Property will be passed as NameID in SAMLResponse.

  4. We also send the below Attributes in the SAML Response that can be used on your end to create a new user profile if it doesn't exist:
              • FirstName
              • LastName
              • Email
              • UserId
              • Username
              • UserExternalId
              • EmployeeNumber
              • JobTitle
              • DepartmentId – Absorb ID for User’s Department
              • DepartmentName
              • ExternalDepartmentId – Department’s External ID
              • IsAdmin – If user is an administrator.

  5. Binding - We support HTTP POST binding.


Metadata

Metadata is used to ensure a secure transaction between an identity provider and a service provider. 

Absorb’s IdP Metadata

<?xml version="1.0" encoding="UTF-8" ?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://subdomain.myabsorb.com">
	<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:KeyDescriptor use="signing">
			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:X509Data>
					<ds:X509Certificate>MIIDjjCCAnYCCQCa+e+SzqyqUTANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMC
										Q0ExEDAOBgNVBAgMB0FsYmVydGExEDAOBgNVBAcMB0NhbGdhcnkxIjAgBgNVBAoM
										GUJsYXRhbnQgTWVkaWEgQ29ycG9yYXRpb24xEzARBgNVBAsMCkFic29yYiBMTVMx
										HDAaBgNVBAMME0Fic29yYiBMTVMgU0FNTCBTU08wHhcNMTQxMTAzMjEyNzQwWhcN
										MjQxMDMxMjEyNzQwWjCBiDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB0FsYmVydGEx
										EDAOBgNVBAcMB0NhbGdhcnkxIjAgBgNVBAoMGUJsYXRhbnQgTWVkaWEgQ29ycG9y
										YXRpb24xEzARBgNVBAsMCkFic29yYiBMTVMxHDAaBgNVBAMME0Fic29yYiBMTVMg
										U0FNTCBTU08wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDICYSrMPKo
										1Wn6Owqst6JN+klfyWigtfOfjNtkqFj065840+SYYPUw3PTdyanSYZJ8PYl8JRfg
										MmfBTxyVoFJU4rCvhVei/gkHwovngX+cAzYo+cBABm1dG9oBky0wi8qUjoauByWQ
										74npjtmwAfhv1/r5rRv7LdpkTxpZ5Llz772uHFOobvC4hRt13Z7hKkhiuQ7ZE5/I
										BbjXjgMYFDgMg9iMZ0qsKlDPK+sSi+DAJRtvZhscCDBFeThf64YM92TIAUgG3MPQ
										s7BvzI/rWea4UC5TfRekA7F/hmaXqh/Vy2LWPKXzFKZ4tjCP6u+Q/rycxsx9dlGY
										2LMM6pWtzyEHAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACXgA3cIpNZ9jlHH+vU/
										6+2h5y/ps72fdULbbX5EPhcyHugyn7gFz7LQgq5PE8Ufbh7rggegAuB0VaMC1gYv
										fr2xsusQi+XekWD1wEiwYl8WavTbvildUweBTMHgKWAqsbvDdYyUgcgk6NG2myrn
										VrGtz+1fh4TqswnkoA9c0XOYnXvOB/mG79GrnPgPoLTl/21pr1ewJ4NBY3/BJAnY
										tATZbmP5zPvZs6oSt0Ds652oN+eA1CfU1Ys+n0vZI1f9IkMfClcY1X78/9AtRxIU
										KXhmt5gN2lKQsyr8QKgzwQmtuXVt2Qz10GzsJRFX5Ly2Ocqu8bQ2AY+G5rlnCY1t
										W4Q=</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</md:KeyDescriptor>
		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.myabsorb.com/account/samlrequest"/>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.myabsorb.com/account/samlrequest"/>
	</md:IDPSSODescriptor>
</md:EntityDescriptor>


Appendix

  1. If your service provider hosts your courses and you want to send course completions back to Absorb, this can be done using our RESTful API.

    You can find our RESTful API documentation here. Please note that the RESTful API requires the purchase of a RESTful API license and key.

  2. Our inbound and outbound SSO can be used together. Inbound for SSO login to Absorb, and outgoing SSO for login to third party site. Check out our Incoming SSO options here.
Have more questions? Submit a request

0 Comments

Article is closed for comments.