Outgoing SAML 2.0 Single Sign-On

Follow

Introduction

Absorb Outgoing Single Sign-On (SSO) enables users to log into an external site from the Absorb Learner Interface without the need to login a second time.
 
We support Service Provider Initiated SAML 2.0. SSO method for outgoing SSO. Absorb acts as Identity Provider and the external site acts as Service Provider.
 
SAML 2.0 is a web-based single sign-on (SSO) method of authenticating users; it uses the XML standard for exchanging users data between an Identity Provider i.e. Absorb and Service Provider i.e. external site.
 
There are various pieces of information that need to be exchanged in order to setup SSO, described in the following sections of this article.
 

Contents:

 

Setup

SSO settings can be managed in Portal Settings by clicking on the Manage SSO Settings button in Portal Settings.

manage-sso.png

Once the Manage Single Sign-On Settings page has loaded, you will be presented with all existing SSO setups, as well as the option to add additional instances. This allows Admins to designate multiple outgoing SSO configurations as needed. When adding or managing existing SSO settings, you will be presented with some of the options as explained below:

Variables Description Requirement
Name The name is an optional field for Admins to customize what individual SSO setups are called. If no name is entered, it will default to the mode used.  Optional
Method

Admins can choose between three Method types which will determine what other fields are required for setup. The options available are:

  • Absorb
  • SAML
  • LDAPS
 Mandatory
Portal URL This is the URL where your Absorb LMS is hosted - please contact us if you do not know this. This URL usually configured as part of your initial LMS onboarding.
e.g. https://companyname.myabsorb.com OR https://some.custom.url
Mandatory
Key The key is the x509 public certificate that is used to sign the SAML request. You must configure Absorb with your public key so that Absorb can verify your signed SAML requests. Mandatory
Mode

If the SAML option has been selected for the SSO method, there are three options available to Admins to choose from the Mode drop-down menu:

  • Identity Provider Initiated
  • Service Provider Initiated
  • Service Provider Initiated Outbound
Mandatory
Id Property (Unique Identifier) A unique identifier field chosen in the Absorb LMS to be used as the identifying NameID through the SAML assertion. Absorb can be configured to use the following as the Id Property:
  • UserId (Absorb)
  • Username
  • Email Address
  • External Id
  • Employee Number
Mandatory
Login URL The login URL is the web address that your users need to sign in via in order to be properly authenticated.  Mandatory
Logout URL The URL entered here is where users will be forwarded upon successful logout of the LMS. If left blank, the URL will default to the Absorb login page.  Optional
Automatically Redirect When enabled, this toggle will redirect users attempting to access Absorb unauthenticated to the Login URL. Otherwise, users will land on the login page, or other public-facing page, when not enabled.  Optional
Assigned Routes This field provides any available URLs for your portal as set up by request through Absorb Support, or Client Success Manager. The URL used here will determine where users are directed when authenticated for this SSO setup.  Mandatory
LDAPS Server URL The LDAPS Server URL is the web address that your users need to sign in via in order to be properly authenticated.  Mandatory
LDAPS Server Custom Port Admins can manage the port number if needed, otherwise the default is 636. Admins should not change the port unless it is different.  Optional
Signature Type

This field allows Admins to designate the hashing algorithm used to sign outgoing SSO messages. The following signature types are currently supported:

  • SHA-256
  • SHA-384
  • SHA-512
Mandatory
Include User Data Admins can opt to send user data in addition to the SAML request by enabling this toggle. Either the standard subset of user field data can be sent, or disabled altogether.  Optional
Include Custom Fields Custom Field data can now be sent alongside the default field set provided the Include User Data toggle is enabled. This field allows Admins to choose from their existing Custom Fields to include. Optional
Assertion Consumer Service URL This field should be left blank unless your portal's SAML request's AssertionConsumerServiceUrl property is missing or incorrect.  Optional
Service Provider Endpoint URL Absorb uses the Assertion Consumer Service URL from SAMLRequest to POST the SAML Response. If the client's SAML request's AssertionConsumerServiceUrl property is missing/incorrect, this value can be defined for all requests by configuring it under Portal Settings (see below). Mandatory
Service Provider Initiated URL We require the Services Provider URL to initiate SSO. We can initiate the SSO from two different locations on Absorb learner site:
  • Dashboard Tile
  • Course Lesson – If SP site hosts courses, you can send us different URLs to point to different courses on your site.
Mandatory
 
Admins can fill out these fields on their own, however a request will need to be made with Absorb Support, or a Client Success Manager, to create a new route when necessary. Once all details appear correct, click on the save icon at the top right to retain changes. 

new_SSO_Layout.png

 

How it Works

  1. User logs on to Absorb. User signs into Absorb by entering their assigned Username & Password or by an incoming SSO.

  2. User clicks on the Absorb outgoing SSO Dashboard tile OR navigates to an Absorb SSO course lesson object, either of which have the outgoing SSO URL (Service Provider Initiated URL) embedded in them. The creation of the dashboard tile will need to be performed by requesting one with Absorb Support. The course object lesson can be created by any client admin user with permission to create/modify courses: 

    Absorb Admin Site > Courses > Courses > Add Online Course > Syllabus > Add Learning Object > Object > Add URL into Source field 

  3. Absorb redirects user to Service Provider Initiated URL.

  4. Service provider sends a HTTP POST message with a signed SAML Request (signed with the Service Provider's private key) to Absorb at the following URL: 

    https://company.myabsorb.com/Account/SamlRequest 
    (where company.myabsorb.com = Client's Portal URL)

    A relayState variable can also be added in the POST message (for when Absorb special functionality is needed i.e. launching a course directly) 

  5. Once the SAML Request is sent to Absorb, we will authenticate the request using the public key configured in Portal Settings (see Setup section).

    If the authentication fails an appropriate error message will be sent back to the requester (in this case back to the Service Provider). 

    If successful go to step 6. 

  6. Absorb sends signed SAML Response (signed with Absorb's private key) to Service Provider. The SAML Response will contain the Id Property of user being authenticated as the NameId property and other user attributes mentioned above.

  7. The service provider will use Absorb's public key (see Service Provider Configuration below) to verify the response. 

  8. If successful the user will be logged into the Service Provider’s site.


Service Provider Configuration

We will provide the following details for configuration on your end:

  1. IdP Metadata – This includes entity ID for your Absorb portal, and URL to POST SAML Request. See Metadata section below.
  2. Public key to authenticate SAML Response (x509 public certificate found in the IdP Metadata mentioned above).
  3. Id Property will be passed as NameID in SAMLResponse.
  4. We also send the below Attributes in the SAML Response that can be used on your end to create a new user profile if it doesn't exist:
    • FirstName
    • LastName
    • Email
    • UserId
    • Username
    • UserExternalId
    • EmployeeNumber
    • JobTitle
    • DepartmentId – Absorb ID for User’s Department
    • DepartmentName
    • ExternalDepartmentId – Department’s External ID
    • IsAdmin – If user is an administrator.
    • User Data – When the "Include User Data" toggle is enabled, a standard subset of user data can be sent. Admins can also include Custom Fields alongside the standard subset as needed.
  5. Binding - We support HTTP POST binding.


Metadata

Metadata is used to ensure a secure transaction between an identity provider and a service provider. 

Absorb’s IdP Metadata

<?xml version="1.0" encoding="UTF-8" ?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://subdomain.myabsorb.com/">
	<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:KeyDescriptor use="signing">
			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:X509Data>
					<ds:X509Certificate>
MIID6zCCAtOgAwIBAgIJAPWWr9yo9lmBMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHQWxiZXJ0YTEQMA4GA1UEBwwHQ2FsZ2FyeTEdMBsGA1UECgwUQWJzb3JiIFNvZnR3YXJlIEluYy4xEzARBgNVBAsMCkFic29yYiBMTVMxJDAiBgNVBAMMG0Fic29yYiBMTVMgU0FNTCBDZXJ0aWZpY2F0ZTAeFw0xNzA3MjAxNzE3MDFaFw0yMDA3MTkxNzE3MDFaMIGLMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHQWxiZXJ0YTEQMA4GA1UEBwwHQ2FsZ2FyeTEdMBsGA1UECgwUQWJzb3JiIFNvZnR3YXJlIEluYy4xEzARBgNVBAsMCkFic29yYiBMTVMxJDAiBgNVBAMMG0Fic29yYiBMTVMgU0FNTCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM/5udlYOcVjCu2gPpG39a1m0hQGVPUGZ/GQIlofGJHXjACvu/hjrqQU5z3H1Zl/QQ7zQu6MuM2XQEZr+Hp8mpxOEn079xJ0InTknebizm9hKcbYfWqpqEoDulGJavSPNdyjGxdLrFkrJYq3lUpne0SjQwy4UIkrIfPbuDDlUesWBDHNzSwhm15TquBblN/o0syn1M4NyF32o1PfNeaC6i9GLqiZRnt2ULyYTk7W5x6MHV94b7mcEM3rNEO9x2WPZ09EK8KgIVMDoiZOq3l3p0glJ8uK0ZYrWRH3hXoM1LLNQovYlndOQNmva/UDMvqH9EF6M54+J//1s/GUuJThruECAwEAAaNQME4wHQYDVR0OBBYEFNdyoG8noim9iX2IYEWMw3E75F5gMB8GA1UdIwQYMBaAFNdyoG8noim9iX2IYEWMw3E75F5gMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADanrQs/8IiM7gI/9bxNO17MxjUEHAtVcAjOQ+a0tF9F3F5+cXNn6WmNo865ThOIDH9aJhR9Y7DaElcOAK1Zc90Ary2L52EmNPPuCYzRU8wheY5dwG1ZWaqg7XtytNmKyb3/dDON4IRWIHpJCIfe7F8X4usYN9U3M03eHb7v5n1rgTre2Wp++hq1NxpXFv48fc9+/nwYg+DofvW+73xyjRqBVmtQygZ9LfRgJ92dygrhLUa1RSfmtZFRSK1IdbSFBBVWu78cwoSR/VjQ3dIPec6siY4zDCpl7x2Tz9BuLD0q338SoIr9E2okvjDUAg4qFXSKt9jJ8t+cV2ylfp9CeG0=
					</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</md:KeyDescriptor>
		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.myabsorb.com/account/samlrequest"/>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.myabsorb.com/account/samlrequest"/>
	</md:IDPSSODescriptor>
</md:EntityDescriptor>


Appendix

  1. If your service provider hosts your courses and you want to send course completions back to Absorb, this can be done using our RESTful API.

    You can find our RESTful API documentation here. Please note that the RESTful API requires the purchase of a RESTful API license and key.

  2. Our inbound and outbound SSO can be used together. Inbound for SSO login to Absorb, and outgoing SSO for login to third party site. Check out our Incoming SSO options here.
Published on
Have more questions? Submit a request

0 Comments

Article is closed for comments.