Incoming SAML 2.0 Single Sign-On using Azure AD

The main purpose of establishing a Single Sign-On (SSO) process with Absorb is to allow your users a single point of entry into your system while providing them access to multiple other independent systems. With this process, a user logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords.

This article discusses Incoming SAML 2.0 SSO for clients using Azure AD and presents a somewhat abridged and focused version of our full Incoming SAML 2.0 Single Sign-On article. For the purposes of this article, the Absorb system will act as the Service provider (SP). Your Azure system will act as the Identity Provider (IdP).


Note: SSO is an additional feature that usually involves an additional fee and technical resources on the client-side to develop and/or configure the solution.

Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although Azure AD is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with your Azure AD environment. This guide is provided to our clients as a convenience only, based on our experience working with clients who employ Azure AD.

 

Absorb Setup

This section will walk you through how you would configure your Absorb LMS. Once the Azure AD is set up in your company account, a System Admin will need to log into the LMS and complete the setup.

From Portal Settings, there is a button in the right-side context menu labeled Manage SSO Settings. If you cannot see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.

2021-07-22_17-49-47.gif

Once you have clicked the button, you will be brought to the Manage Single Sign-On Settings page. Any existing configurations will appear here, as well as the option to Add a new one. 

Each route (Portal URL, e.g. company.myabsorb.com) can have its own set of SSO configurations. Please see this article for more information on route-based SSO. The remainder of this article assumes we're talking about a single SSO configuration.

 

Managing SSO Settings

The following variables will need to be determined and configured as part of your SSO implementation. 

Variables Description Requirement
Name Enter a value to identify this SSO configuration. This field is for your reference only. Mandatory
Method Select SAML. Mandatory
Key The key is the x509 public certificate of the IdP that is used for the SAML assertion signature. You must configure Absorb with your IdP’s public key so that Absorb can verify your signed SAML assertions. Mandatory
Mode Choose the request mode to be used, from either Service Provider Initiated or Identity Provider Initiated.
We recommend selecting Service Provider Initiated when possible. This has two key benefits:
- LMS deep links will function as expected
- SSO can be used to access the mobile app
Mandatory
ID Property (Unique Identifier) A unique identifier field is chosen in the Absorb LMS to be used as the identifying NameID through the SAML assertion. Absorb can be configured to use the following as the Id Property:
• Id (Randomly generated identifier in Absorb database)
• Username
• Email Address
• External Id
• Employee Number
Mandatory
Signature Type Select the correct option for your configuration. Mandatory
Login URL • Service Provider Initiated Mode: This is the endpoint where Absorb will send a SAML request.
• Identity Provider Initiated Mode: This is the URL where Absorb redirects users if they navigate directly to the selected Route(s) without an active session. This redirect is only triggered when the Automatically Redirect feature is turned on.

• Mandatory for SP-initiated

• Mandatory for IDP-initiated with Automatically Redirect ON

• Optional for IDP-initiated with Automatically Redirect OFF

Logout URL This is the URL where Absorb redirects users when they log out of the Absorb system. Optional
Single Logout Enables the single sign-out endpoint. This will attempt to sign the learner out of the identity provider when they log out of the LMS. If this is on, the Logout URL set above will be ignored. Optional
External Single Logout URL The external SLO endpoint to direct single log-out requests to. Optional
Wait for Idp Response Forces Absorb to wait for a response from the identity provider before logging out of Absorb. Optional
Enforce Admin Side SSO Enforces SSO Redirection on the Admin login page. Optional
Automatically Redirect This setting only displays when Identity Provider Initiated Mode is selected. When turned on, this will redirect all users who navigate directly to the selected Route(s) to the Login URL. If not turned on, users will land on the portal's landing page.
Note: When Service Provider Initiated Mode is selected, this setting is hidden. All unauthenticated users who navigate to the selected Route or Routes will be authenticated through SSO.
Optional
Assigned Routes Use this field to search for and select a Route or Routes to assign to this SSO configuration. A Route must be selected in order for SSO authentication to be successful. This Route will be referenced in the settings you configure in your Identity Provider. Mandatory
Allow User Provisioning This setting determines whether User Provisioning is enabled. To successfully create users via this method, the required values must be sent in the Attribute Statement. For further details, see our article on user provisioning: Incoming SAML 2.0 SSO Account Provisioning  Optional

 

Azure AD Setup

This section contains instructions specific to setting up Azure AD with Absorb LMS. Each part focuses on a different element of this setup, concluding with finalizing settings on the Absorb side. This setup must be completed by a System Admin on the Absorb side and someone with full system access on the Azure side.

 

Part 1: Add Absorb LMS from the Gallery

To configure the integration of Absorb LMS into Azure AD, you need to add Absorb LMS from the gallery to your list of managed SaaS apps.

  1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
  2. On the left navigation pane, select the Azure Active Directory service.
  3. Navigate to Enterprise Applications and then select All Applications.
  4. To add a new application, select New application.
  5. In the Add from the gallery section, type Absorb LMS in the search box.
  6. Select Absorb LMS from the results panel and then add the app. Wait a few seconds while the app is added to your tenant.

 

Part 2: Configure and Test Azure AD SSO for Absorb LMS

Configure and test Azure AD SSO with Absorb LMS using a test user. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Absorb LMS.
To configure and test Azure AD SSO with Absorb LMS, perform the following steps:

  1. Configure Azure AD SSO - to enable your users to use this feature.
    • Create an Azure AD test user - to test Azure AD single sign-on with your Test User.
    • Assign the Azure AD test user - to enable Test User to use Azure AD single sign-on.
  2. Configure Absorb LMS SSO - to configure the single sign-on settings on the application side.
    • Create Absorb LMS test user - to have a counterpart of Test User in Absorb LMS that is linked to the Azure AD representation of the user.
  3. Test SSO - to verify whether the configuration works.

 

Part 3: Configure Azure AD SSO

Follow these steps to enable Azure AD SSO in the Azure portal:

  1. In the Azure portal, on the Absorb LMS application integration page, find the Manage section and select Single Sign-On (SSO).

  2. On the Select a single sign-on method page, select SAML.

  3. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

    Picture5.png

  4. On the Set up Single Sign-On with SAML page, click the Edit button to open the Basic SAML Configuration dialog.
    • In the Identifier text box, type a URL using the following pattern: https://<SUBDOMAIN>.myabsorb.com
    • In the Reply URL text box, type a URL using the following pattern: : https://<SUBDOMAIN>.myabsorb.com/api/rest/v2/authentication/saml
      Note:
      <SUBDOMAIN>.myabsorb.com needs to be replaced with the Route selected within your LMS SSO Settings.
    • The following screenshot shows the list of default attributes. You can choose which value to map as the Unique User Identifier. This should match the ID Property selected within Absorb.
      Azure-AD-User-Attributes.png

  5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Base 64) and save it on your computer so you can retrieve the Key value for the LMS SSO Settings.

    Picture3.png

  6. On the Set up Absorb LMS section, copy the Login URL. This will be the Login URL entered in the LMS SSO Settings if you are using Service Provider Initiated Mode.

    Picture2.png

Note: If you are using Identity-Provider Initiated Mode, you will instead need to navigate to the Properties page for the Application being used for SSO (e.g. 'Absorb LMS'), and copy the User access URL for use as the Login URL.

Picture1.png

 

Part 4: Assign an Azure AD Test User

In this section, you'll enable a test user to use Azure single sign-on by granting access to Absorb LMS.

  1. In the Azure portal, select Enterprise Applications, and then select All applications.
  2. In the applications list, select Absorb LMS.
  3. In the app's overview page, find the Manage section and select Users and groups.
  4. Select Add user, then select Users and groups in the Add Assignment dialog.
  5. In the Users and groups dialog, select your test user from the Users list, then click the Select button at the bottom of the screen.
  6. In the Add Assignment dialog, click the Assign button.

 

Part 5: Configure Absorb LMS SSO

  1. In a new web browser window, sign in to your Absorb LMS as a user with the System Admin role.
  2. Select the Account button at the top right.
  3. In the Account pane, select Portal Settings.
  4. Select the Manage SSO Settings button.
  5. Select Add if you haven’t begun the set up yet.
  6. On the Manage Single Sign-On Settings page, do the following:
    • In the Name textbox, enter a name such as Azure AD Marketplace SSO.
    • Select SAML as the Method.
    • In Notepad, open the certificate that you downloaded from the Azure portal. Remove the ---BEGIN CERTIFICATE--- and ---END CERTIFICATE--- tags. Then, in the Key box, paste the remaining content.
    • In the Mode box, select Service Provider Initiated or Identity Provider Initiated, per your requirement. Note: Service Provider Initiated is recommended.
    • In the Id Property box, select the attribute that you configured as the user identifier in Azure AD.
    • Select Sha256 as a Signature Type.
    • In the Login URL box, paste either the Login URL (if Service Provider Initiated is selected) or the User Access URL from the application's Properties page (if Identity Provider Initiated is selected).
    • In the Logout URL, enter the URL where you wish to direct users after they log out of the LMS.
    • Under Assigned Routes click the plus button to select an existing Portal Route.
  7. Select Save.
Assigning a Route Activates SSO

Once all other configuration is complete SSO is 'accessed' by assigning a Route to the SSO configuration and saving. Depending on your use-case, you may also want to activate Automatically Redirect so that Users navigating to the Assigned Route are prompted to sign in via SSO if they aren't already authenticated.

Was this article helpful?
3 out of 4 found this helpful

Comments

0 comments

Article is closed for comments.