Single Sign-On

Configuring the Identity provider

Learnsoft provides the capability of integrating its Learning Management System with the client’s Active Directory Federation Services (ADFS) via SAML (Security Assertion Markup Language) 

There are three key players involved in single sign-on: 

  1. The End User – User who’s trying to log on to the Learnsoft Learning Management System.
  2. Service Provider - Learnsoft Technology Learning Management System.
  3. Identity Provider – Learnsoft Group’s client. 

C:\Users\DeepChopra\AppData\Local\Microsoft\Windows\INetCache\Content.Word\hierachy-08-08.jpg

As the above diagram suggests, the first step in this process requires us (Learnsoft) to obtain the Client’s SSO (Single Sign On) URL. Upon receipt of this URL, Learnsoft will develop a custom URL that will eventually redirect the End User’s browser to the Identity Provider’s / Client’s ADFS SSO. 

The next step involves configuring the Identity Provider (the client’s ADFS) to work with SAML for Learnsoft Technology Group’s Learning Management System. Two separate configurations within the Client’s ADFS will be done here – Staging / Testing Environment & Production Environment. This will allow the client to seamlessly switch from the Staging environment to the production environment. 

Configuring the Identify Provider

Learnsoft provides the client with two XML files (one for the staging environment and the other for the production environment). Importing these to the ADFS Console will configure the client’s ADFS to work with SAML and Learnsoft Technology Group’s Learning Management System staging environment and production environment. At this point two entries in the client’s ADFS are created.

The names of these two files are –

metadataStagingLearnsoft.xml (Download a zip containing the xml file for staging)

metadataProdLearnsoft.xml (Download a zip containing the xml file for production)


For each one of these entries, the client will need to define assertion claim rules. Claim rules basically define what the client ADFS will send back to the Assertion Consumer Service URL. Learnsoft Technology Group requires that the following claim rules be defined for each ADFS entry. 

<add key="Attribute_membership-level" value="LSGLMWS"/>

<add key="Attribute_membership-number" value="LSGLM**"/>

<add key="Attribute_company-number" value="**"/>

<add key="Attribute_tenant-number" value="***"/>

<add key="Attribute_company-userid" value=""/> 

The first four claim rules - Attribute_membership-level, Attribute_membership-number, Attribute_company-userid and Attribute_tenant-number have a static value associated with them.  

**Refer to your project manager at Learnsoft Technology Group for this value. 

***Refer to your project manager at Learnsoft Technology Group for this value.

 

The following image shows the creation of one of the static claim rules – “Attribute_membership-level” 

C:\Users\DeepChopra\AppData\Local\Microsoft\Windows\INetCache\Content.Word\4.png

The last claim rule "Attribute_company-userid" involves creation of a custom rule. 

Step By Step Guide to create "Attribute_company-userid" claim rule –  

  1. Create a new “Claim Rule.” Under LDAP Attribute, select “SA-Account-Name” and the Outgoing Claim Type should be “UPN.” Attribute store would be active directory
    C:\Users\DeepChopra\AppData\Local\Microsoft\Windows\INetCache\Content.Word\1.png
  2. Click on “View Rule Language” and you will be presented with the following screen C:\Users\DeepChopra\AppData\Local\Microsoft\Windows\INetCache\Content.Word\2.png
  3. Copy the claim rule language and click on ok. Create a custom claim rule and paste the claim rule language. Replace the URL in the second last line of the claim rule language with Attribute_company-userid as shown in the screen shot below.
    C:\Users\DeepChopra\AppData\Local\Microsoft\Windows\INetCache\Content.Word\5.png
  4. Click on Ok. Now you should have a set of claim rules that would look something similar to what is shown in the image below –  
    C:\Users\DeepChopra\AppData\Local\Microsoft\Windows\INetCache\Content.Word\3.png

Once the claim rules have been defined, the identity provider will need to Provide Learnsoft Technology Group with a Federation Meta Data file that their ADFS generates.

This Federation Meta data file can typically be obtained from the following URL:

https://<Domain name of your ADFS> /FederationMetadata/2007-06/FederationMetadata.xml

Learnsoft Technology Group will utilize this to configure SAML on our side. 

 

Additional Considerations

In addition to configuring SSO, there are other considerations as we set up SSO for your site. 

Working on Shared Workstations

Integrating with ADFS can cause an issue to Users who work on the LMS using Shared Workstations. This happens due to the fact that they are not logged onto the Shared Workstation using their Domain account information. However, with a little help of the client’s IT staff this is easily resolvable.

Resolution

Apply a group policy on the Organization Unit on the domain controller for these Shared Workstations so that the internet explorer on those workstations will prompt the users to enter their Active Directory credentials every time they click on the SSO link.

User Profile Information

When establishing SSO, modifications need to be made to the HR file that is being sent to Learnsoft Technology Group by the client. 

SSO integration looks to the information in the AD ID field passed from the HR User Feed.