Outgoing SAML 2.0 Single Sign-On

Single Sign-On (SSO) processes can simplify how Users log into a system. Establishing a SSO process with Absorb allows your Users a single point of entry into your system while providing them access to multiple other independent systems.  Outgoing Single Sign-On enables Users to log into an external site from the Learner Interface without the need to log in a second time.

This article discusses the Service Provider Initiated SAML 2.0 SSO method for outgoing SSO. Absorb acts as Identity Provider and the external service acts as Service Provider.

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.

Disclaimer

Absorb LMS supports Outgoing SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side solution. Although many Service Providers generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with SSO. This guide is provided to our clients as a convenience only, based on our experience working with clients who employ outgoing SSO.


Setting Up SSO in Absorb

This section outlines how to set up a new SSO connection in the Absorb LMS.

  1. Log in to the Admin Experience as a System Admin, and click on Portal Settings in the Account menu on the right-hand side of the page.
  2. In Portal Settings, click Manage SSO Settings in the right-hand menu. If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.
    OUTGOING_SSO_ABSORB_01.png

  3. Click the Add button at the bottom of the page.
  4. Enter a Name for the SSO connection. This name is only visible to Admins.
    OUTGOING_SSO_ABSORB_03.png

  5. In the Method field, select SAML from the available options.
    OUTGOING_SSO_ABSORB_04.png

  6. In the Key field, enter your Service Provider's X509Certificate public key.
    If your certificate has spaces, line breaks, or "BEGIN/END", please remove those.
    OUTGOING_SSO_ABSORB_02.png

  7. In the ID Property field, select the option corresponding to the User Profile field that Absorb should send as the NameID in the SAML assertion. This should be a unique identifier for Learners.
    OUTGOING_SSO_ABSORB_06.png

  8.  The Assertion Consumer Service Url can be left blank as it should be provided to Absorb via the SAML Request. An ACS URL can be hard coded in this field if recurring issues arise.
    OUTGOING_SSO_ABSORB_07.png

  9.  Set the Signature Type to the value that your service/website is expecting.
    OUTGOING_SSO_ABSORB_08.png

  10. Include User Data: You can opt to send user data in addition to the SAML Response by enabling this toggle.
     
    If OFF: No attributes will be included in the response, and there will be no AttributeStatement.
     
    If ON: Absorb will append the following LMS attributes to the SAML Response in the AttributeStatement:
    • FirstName
    • LastName
    • Email
    • UserId
    • Username
    • UserExternalId
    • EmployeeNumber
    • JobTitle
    • DepartmentId
    • DepartmentName
    • ExternalDepartmentId
    • IsAdmin
      OUTGOING_SSO_ABSORB_09.png

  11.  Include Custom Fields: You can select to include any custom User Fields in your Portal as part of the attributes returned in the SAML Response.
    Note: This field is only visible if Include User Data is ON.
    OUTGOING_SSO_ABSORB_10.png

 

SSO Process Overview

Note: To enlarge thumbnail images, right-click on picture and select "Open image in new tab".

The diagram below shows the requests and responses between a User, Absorb, and the SAML Service Provider during an SSO request.

OUTGOING_SSO_ABSORB_11.png

 

In the following steps, the SSO process is outlined in further detail:

  1. A Learner signs into Absorb by entering their username & password or via incoming SSO.
  2. The Learner clicks on a Dashboard tile or navigates to a Course Lesson Object that has the outgoing Service Provider Initiated URL embedded in them.
    • A Dashboard Tile can be created in the Templates section of the Admin Experience.
    • A Course Lesson Object can be created by any Admin with permission to create/modify Courses
      Absorb Admin Site > Courses > Courses > Add Online Course > Syllabus > Add Learning Object > Object > Add URL into Source field.
    • More information about Learning Objects can be found in the article here.
  3. Absorb redirects the Learner to Service Provider Initiated URL.
  4. The Service Provider sends a HTTP POST message with a signed SAML Request (signed with the Service Provider's private key) to the Absorb portal at the following URL: https://company.myabsorb.com/Account/SamlRequest.
    • A relayState variable can also be added in the POST message (for when special functionality is needed such as launching a course directly).
  5. Absorb authenticates the SAML request using the X509Certificate public key configured above. If the authentication fails, an appropriate error message is sent back to the Service Provider
  6. Absorb sends a signed SAML Response (signed with Absorb's private key) to Service Provider. The SAML Response contains the Learner's Id Property as the NameId property, and other user attributes if Include User Data is on.
  7. Service Provider uses Absorb's public key to verify the response. 
  8. Service Provider handles the response appropriately (either by logging the User in, or handling the User's information another way as programmed by the Service Provider).

 

Service Provider Configuration (Metadata)

The following details may be relevant for proper configuration of a Service Provider:

  • Absorb's IdP Metadata - This includes entity ID for your Absorb Portal, and URL to POST SAML Request. See Metadata section below.
  • Absorb's Public key to authenticate SAML Response (x509 public certificate found in the IdP Metadata).
  • Binding - Absorb supports HTTP Redirect binding. HTTP POST binding is only available by enabling an additional toggle to allow session cookies in third party context. This option is not recommended as it reduces portal security.

Absorb's IdP Metadata

Important

You will need to replace the 3 occurrences of "company.myabsorb.com" in the metadata with your LMS URL. These locations are:

  1. The Entity ID at the top.
  2. The binding for the HTTP POST at the bottom.
  3. The binding for the HTTP Redirect at the bottom.

Please note that Absorb metadata is  not specific to any client portal, which means there are generic URLs that must be edited before you will be able to use it.

 

Production Metadata

Download the IdP metadata for the Production environment by clicking here.

Sandbox Metadata

Download the IdP metadata for the Sandbox environment by clicking here.

 

Appendix

  • If your Service Provider hosts your Courses and you want to send course completions back to Absorb, this can be done using our RESTful API. You can find our RESTful API documentation here. Please note that the RESTful API requires the purchase of a RESTful API license and key.
  • Inbound and outbound SSO can be used together. Inbound for SSO login to Absorb, and outgoing SSO for login to third party site. Find our Incoming SSO documentation here.
Was this article helpful?
1 out of 2 found this helpful

Comments

0 comments

Article is closed for comments.