Outgoing SAML 2.0 Single Sign-On

Follow

Introduction

The main purpose of establishing a Single Sign-On (SSO) process with Absorb is to allow your users a single point of entry into your system while providing them access to multiple other independent systems. With this process a user logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords. Outgoing Single Sign-On enables users to log into an external site from the Absorb Learner Interface without the need to log in a second time.

This article discusses the Service Provider Initiated SAML 2.0 SSO method for outgoing SSO. Absorb acts as Identity Provider and the external service acts as Service Provider.

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.

Disclaimer: Absorb LMS supports Outgoing SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side solution. Although many service providers generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with SSO. This guide is provided to our clients as a convenience only, based on our experience working with clients who employ outgoing SSO.

Table of Contents


Instructions: Absorb Setup 

Note: To enlarge thumbnail images, right-click on picture and select "Open image in new tab"

Step Action Image 
1. Login to the Absorb admin portal as a System Admin and navigate to Portal Settings. From Portal Settings, there is a button in the right-side menu labelled Manage SSO Settings. If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature. OUTGOING_SSO_ABSORB_01.png
2. Click Add at the bottom of the page.  
3. Name the connection something descriptive. This name is only visible to admins.  OUTGOING_SSO_ABSORB_03.png
4.  Method: SAML  OUTGOING_SSO_ABSORB_04.png
5. Key: Your service provider's X509Certificate public key.
If your certificate has spaces, line breaks, or "BEGIN/END", please remove those.
 OUTGOING_SSO_ABSORB_02.png
6. Set the Id Property to the Absorb user profile field that Absorb should send as the NameID in the SAML assertion. This should be a unique identifier for learners.  OUTGOING_SSO_ABSORB_06.png
7.  The Assertion Consumer Service Url can be left blank as it should be provided to Absorb via the SAML Request. However if you are experiencing issues, you can hard code an ACS URL here.  OUTGOING_SSO_ABSORB_07.png
8.  Set the Signature Type to the value that your service/website is expecting.  OUTGOING_SSO_ABSORB_08.png
9.  Include User Data: You can opt to send user data in addition to the SAML Response by enabling this toggle.
 
If OFF: No attributes will be included in the response, and there will be no AttributeStatement.
 
If ON: Absorb will append the following LMS attributes to the SAML Response in the AttributeStatement:
  • FirstName
  • LastName
  • Email
  • UserId
  • Username
  • UserExternalId
  • EmployeeNumber
  • JobTitle
  • DepartmentId
  • DepartmentName
  • ExternalDepartmentId
  • IsAdmin
 OUTGOING_SSO_ABSORB_09.png
10.  Include Custom Fields: You can select to include any custom user fields in your portal as part of the attributes returned in the SAML Response.
Note: This field is only visible if Include User Data is on.
 OUTGOING_SSO_ABSORB_10.png

 

How it Works 

Note: To enlarge thumbnail images, right-click on picture and select "Open image in new tab

Learner signs into Absorb by entering their username & password or via incoming SSO.

OUTGOING_SSO_ABSORB_11.png

 

  1. Learner signs into Absorb by entering their username & password or via incoming SSO.
  2. Learner clicks on a dashboard tile or navigates to a course lesson object that has the outgoing service provider initiated URL embedded in them.
    • A dashboard tile can be created in the Templates section of the admin interface.
    • A course object lesson can be created by any admin with permission to create/modify courses: 
      Absorb Admin Site > Courses > Courses > Add Online Course > Syllabus > Add Learning Object > Object > Add URL into Source field
  3. Absorb redirects the learner to Service Provider Initiated URL.
  4. Service provider sends a HTTP POST message with a signed SAML Request (signed with the Service Provider's private key) to the Absorb portal at the following URL: https://company.myabsorb.com/Account/SamlRequest
    • A relayState variable can also be added in the POST message (for when special functionality is needed such as launching a course directly)
  5. Absorb authenticates the SAML request using the X509Certificate public key configured above. If the authentication fails, an appropriate error message is sent back to the service provider. 
  6. Absorb sends a signed SAML Response (signed with Absorb's private key) to Service Provider. The SAML Response contains the learner's Id Property as the NameId property, and other user attributes if Include User Data is on.
  7. Service provider uses Absorb's public key to verify the response. 
  8. Service provider handles the response appropriately (either by logging the user in, or handling the user's information another way as programmed by the service provider)

 

Service Provider Configuration (Metadata)

The following details may be relevant for proper configuration of a service provider:

  • Absorb's IdP Metadata - This includes entity ID for your Absorb portal, and URL to POST SAML Request. See Metadata section below.
  • Absorb's Public key to authenticate SAML Response (x509 public certificate found in the IdP Metadata).
  • Binding - Absorb supports HTTP POST binding.

Absorb's IdP Metadata

Important: You will need to replace the 3 occurrences of "company.myabsorb.com" in the metadata with your portal's URL.

<?xml version="1.0" encoding="UTF-8" ?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://company.myabsorb.com/">
	<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:KeyDescriptor use="signing">
			<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:X509Data>
					<ds:X509Certificate>
MIID6zCCAtOgAwIBAgIJAPWWr9yo9lmBMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHQWxiZXJ0YTEQMA4GA1UEBwwHQ2FsZ2FyeTEdMBsGA1UECgwUQWJzb3JiIFNvZnR3YXJlIEluYy4xEzARBgNVBAsMCkFic29yYiBMTVMxJDAiBgNVBAMMG0Fic29yYiBMTVMgU0FNTCBDZXJ0aWZpY2F0ZTAeFw0xNzA3MjAxNzE3MDFaFw0yMDA3MTkxNzE3MDFaMIGLMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHQWxiZXJ0YTEQMA4GA1UEBwwHQ2FsZ2FyeTEdMBsGA1UECgwUQWJzb3JiIFNvZnR3YXJlIEluYy4xEzARBgNVBAsMCkFic29yYiBMTVMxJDAiBgNVBAMMG0Fic29yYiBMTVMgU0FNTCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM/5udlYOcVjCu2gPpG39a1m0hQGVPUGZ/GQIlofGJHXjACvu/hjrqQU5z3H1Zl/QQ7zQu6MuM2XQEZr+Hp8mpxOEn079xJ0InTknebizm9hKcbYfWqpqEoDulGJavSPNdyjGxdLrFkrJYq3lUpne0SjQwy4UIkrIfPbuDDlUesWBDHNzSwhm15TquBblN/o0syn1M4NyF32o1PfNeaC6i9GLqiZRnt2ULyYTk7W5x6MHV94b7mcEM3rNEO9x2WPZ09EK8KgIVMDoiZOq3l3p0glJ8uK0ZYrWRH3hXoM1LLNQovYlndOQNmva/UDMvqH9EF6M54+J//1s/GUuJThruECAwEAAaNQME4wHQYDVR0OBBYEFNdyoG8noim9iX2IYEWMw3E75F5gMB8GA1UdIwQYMBaAFNdyoG8noim9iX2IYEWMw3E75F5gMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADanrQs/8IiM7gI/9bxNO17MxjUEHAtVcAjOQ+a0tF9F3F5+cXNn6WmNo865ThOIDH9aJhR9Y7DaElcOAK1Zc90Ary2L52EmNPPuCYzRU8wheY5dwG1ZWaqg7XtytNmKyb3/dDON4IRWIHpJCIfe7F8X4usYN9U3M03eHb7v5n1rgTre2Wp++hq1NxpXFv48fc9+/nwYg+DofvW+73xyjRqBVmtQygZ9LfRgJ92dygrhLUa1RSfmtZFRSK1IdbSFBBVWu78cwoSR/VjQ3dIPec6siY4zDCpl7x2Tz9BuLD0q338SoIr9E2okvjDUAg4qFXSKt9jJ8t+cV2ylfp9CeG0=
					</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</md:KeyDescriptor>
		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://company.myabsorb.com/account/samlrequest"/>
		<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://company.myabsorb.com/account/samlrequest"/>
	</md:IDPSSODescriptor>
</md:EntityDescriptor>

 

Appendix

  • If your service provider hosts your courses and you want to send course completions back to Absorb, this can be done using our RESTful API. You can find our RESTful API documentation here. Please note that the RESTful API requires the purchase of a RESTful API license and key.
  • Inbound and outbound SSO can be used together. Inbound for SSO login to Absorb, and outgoing SSO for login to third party site. Find our Incoming SSO documentation here.

 

Published on
Have more questions? Submit a request

0 Comments

Article is closed for comments.