Applies to: Pro, Plus, & Enterprise Plans
Absorb Outgoing Single Sign-On (SSO) enables users to log into an external site from the Absorb Learner Interface without the need to login a second time.
We support Service Provider Initiated SAML 2.0. SSO method for outgoing SSO. Absorb acts as Identity Provider and the external site acts as Service Provider.
SAML 2.0 is a web-based single sign-on (SSO) method of authenticating users; it uses the XML standard for exchanging users data between an Identity Provider i.e. Absorb and Service Provider i.e. external site.
There are various pieces of information that need to be exchanged in order to setup SSO, described in the following sections of this article.
|Portal URL||This is the URL where your Absorb LMS is hosted - please contact us if you do not know this. This URL usually configured as part of your initial LMS onboarding.
e.g. https://companyname.myabsorb.com OR https://some.custom.url
|Key||The key is the x509 public certificate that is used to sign the SAML request. You must configure Absorb with your public key so that Absorb can verify your signed SAML requests.||Mandatory|
|Id Property (Unique Identifier)||A unique identifier field chosen in the Absorb LMS to be used as the identifying NameID through the SAML assertion. Absorb can be configured to use the following as the Id Property:
|Service Provider Endpoint URL||Absorb uses the Assertion Consumer Service URL from SAMLRequest to POST the SAML Response.
If the client's SAML request's AssertionConsumerServiceUrl property is missing/incorrect, this value can be defined for all requests by configuring it under Portal Settings (see below).
|Service Provider Initiated URL||We require the Services Provider URL to initiate SSO. We can initiate the SSO from two different locations on Absorb learner site:
The Key, Id Property, and (optionally) Assertion Consumer Service Url can be configured by contacting Absorb support at firstname.lastname@example.org.
How it Works
- User logs on to Absorb. User signs into Absorb by entering their assigned Username & Password or by an incoming SSO.
- User clicks on the Absorb outgoing SSO Dashboard tile OR navigates to an Absorb SSO course lesson object, either of which have the outgoing SSO URL (Service Provider Initiated URL) embedded in them. The creation of the dashboard tile will need to be performed by requesting one with Absorb Support. The course object lesson can be created by any client admin user with permission to create/modify courses:
Absorb Admin Site > Courses > Courses > Add Online Course > Syllabus > Add Learning Object > Object > Add URL into Source field
- Absorb redirects user to Service Provider Initiated URL.
- Service provider sends a HTTP POST message with a signed SAML Request (signed with the Service Provider's private key) to Absorb at the following URL:
(where company.myabsorb.com = Client's Portal URL)
A relayState variable can also be added in the POST message (for when Absorb special functionality is needed i.e. launching a course directly)
- Once the SAML Request is sent to Absorb, we will authenticate the request using the public key configured in Portal Settings (see Setup section).
If the authentication fails an appropriate error message will be sent back to the requester (in this case back to the Service Provider).
If successful go to step 6.
- Absorb sends signed SAML Response (signed with Absorb's private key) to Service Provider. The SAML Response will contain the Id Property of user being authenticated as the NameId property and other user attributes mentioned above.
- The service provider will use Absorb's public key (see Service Provider Configuration below) to verify the response.
- If successful the user will be logged into the Service Provider’s site.
Service Provider Configuration
We will provide the following details for configuration on your end:
- IdP Metadata – This includes entity ID for your Absorb portal, and URL to POST SAML Request. See Metadata section below.
- Public key to authenticate SAML Response (x509 public certificate found in the IdP Metadata mentioned above).
- Id Property will be passed as NameID in SAMLResponse.
- We also send the below Attributes in the SAML Response that can be used on your end to create a new user profile if it doesn't exist:
• DepartmentId – Absorb ID for User’s Department
• ExternalDepartmentId – Department’s External ID
• IsAdmin – If user is an administrator.
- Binding - We support HTTP POST binding.
Metadata is used to ensure a secure transaction between an identity provider and a service provider.
Absorb’s IdP Metadata
<?xml version="1.0" encoding="UTF-8" ?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://subdomain.myabsorb.com"> <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIDjjCCAnYCCQCa+e+SzqyqUTANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMC Q0ExEDAOBgNVBAgMB0FsYmVydGExEDAOBgNVBAcMB0NhbGdhcnkxIjAgBgNVBAoM GUJsYXRhbnQgTWVkaWEgQ29ycG9yYXRpb24xEzARBgNVBAsMCkFic29yYiBMTVMx HDAaBgNVBAMME0Fic29yYiBMTVMgU0FNTCBTU08wHhcNMTQxMTAzMjEyNzQwWhcN MjQxMDMxMjEyNzQwWjCBiDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB0FsYmVydGEx EDAOBgNVBAcMB0NhbGdhcnkxIjAgBgNVBAoMGUJsYXRhbnQgTWVkaWEgQ29ycG9y YXRpb24xEzARBgNVBAsMCkFic29yYiBMTVMxHDAaBgNVBAMME0Fic29yYiBMTVMg U0FNTCBTU08wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDICYSrMPKo 1Wn6Owqst6JN+klfyWigtfOfjNtkqFj065840+SYYPUw3PTdyanSYZJ8PYl8JRfg MmfBTxyVoFJU4rCvhVei/gkHwovngX+cAzYo+cBABm1dG9oBky0wi8qUjoauByWQ 74npjtmwAfhv1/r5rRv7LdpkTxpZ5Llz772uHFOobvC4hRt13Z7hKkhiuQ7ZE5/I BbjXjgMYFDgMg9iMZ0qsKlDPK+sSi+DAJRtvZhscCDBFeThf64YM92TIAUgG3MPQ s7BvzI/rWea4UC5TfRekA7F/hmaXqh/Vy2LWPKXzFKZ4tjCP6u+Q/rycxsx9dlGY 2LMM6pWtzyEHAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACXgA3cIpNZ9jlHH+vU/ 6+2h5y/ps72fdULbbX5EPhcyHugyn7gFz7LQgq5PE8Ufbh7rggegAuB0VaMC1gYv fr2xsusQi+XekWD1wEiwYl8WavTbvildUweBTMHgKWAqsbvDdYyUgcgk6NG2myrn VrGtz+1fh4TqswnkoA9c0XOYnXvOB/mG79GrnPgPoLTl/21pr1ewJ4NBY3/BJAnY tATZbmP5zPvZs6oSt0Ds652oN+eA1CfU1Ys+n0vZI1f9IkMfClcY1X78/9AtRxIU KXhmt5gN2lKQsyr8QKgzwQmtuXVt2Qz10GzsJRFX5Ly2Ocqu8bQ2AY+G5rlnCY1t W4Q=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://subdomain.myabsorb.com/account/samlrequest"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://subdomain.myabsorb.com/account/samlrequest"/> </md:IDPSSODescriptor> </md:EntityDescriptor>
- If your service provider hosts your courses and you want to send course completions back to Absorb, this can be done using our RESTful API.
You can find our RESTful API documentation here. Please note that the RESTful API requires the purchase of a RESTful API license and key.
- Our inbound and outbound SSO can be used together. Inbound for SSO login to Absorb, and outgoing SSO for login to third party site. Check out our Incoming SSO options here.