Table of contents
The Refined Training platform login page has the ability to include a SAML Single Sign On authentication, allowing users the ability to log in to their LMS through several Single Sign On methods. This Single Sign On allows the end user the ability to use other login credentials to verify their identity when accessing the LMS.
Built into the LMS login page is a Security Assertion Markup Language (SAML, pronounced sam-el) Single Sign On (SSO) that provides the authentication and authorization between a client’s identity provider (or other identity providers) and Refined Data Solutions service provider.
The Refined Training SAML SSO adds supplementary functionality in the form of additional SSO options to the login page provided to users before accessing the Refined Training platform. When in use, the SAML SSO processes two scenarios:
- If the user does not exist in the LMS, the system will create the user and add the user to the LMS.
- If the user already exists in the LMS, the SAML SSO updates the user information for the account if any of the information from the SAML call is different.
This SAML SSO adds additional functionality in the form of additional SSO options to the login page provided to users before accessing the Refined Training platform.
The integration with the client’s identity provider need to be completed by the Refined Development team. Once this integration is configured appropriately, the end user is able to access the Refined Training LMS via several SSO options.
If interested in using this tool, please contact firstname.lastname@example.org to activate the service.
The SAML SSO plugin displays on the login page of the Refined Training platform when enabled. The login options are system settings and can vary by site, but include options like entering a username and password, log in as a guest, or create a new account.
The SAML SSO provides other login options in the forms of:
- Sign in with Google
- Sign in with LinkedIn
- Sign in with Facebook
- Sign in with Twitter
- Sign in with your own client identity provider (ie. Sign in with [[Refined Data]])
The client identity provider, or corporate provider, is custom to each client and allows for the ability to add a customized SSO button to match the client’s branding.
The first time a user accesses the LMS via the SAML SSO options, the user will be redirected to a third-party authorization login page. The user must grant permission to sign in with the account of their choosing. After authentication, the user is redirected back to the platform.
EXAMPLE: A user chooses to sign in with their Google account. Google will request the user’s permission for the Refined Data system to gather information from their account/profile. This information includes:
1) Know who you are on Google
2) View your email address
3) View your basic profile info
Once accepted, the user is directed to the LMS front page as a logged in user.
Once this first time verification is complete, the next time a user chooses to access the LMS via the SAML SSO, the user will be directed to the LMS front page once authenticated.
When accounts are created in the SAML SSO process, whatever identity information is passed from the identity provider becomes the username. If the identity provider provides username credentials that are different than the user’s email, the user’s account will need to disable email as username so the SSO can match credentials.
Enabling SAML authentication
Clients who choose to use the SAML authentication method will first need to set up Simple SAML configuration on their end and then enable the SAML authentication method by going to Site Administration >>>> Plugins >>>> Authentication >>>> Manage Authentication. Once enabled access the settings page and specify the service provider to use in the SimpleSAMLPHP SP source field and the required information for username and data mapping.
Enable SSO types
The next set of check-boxes allows the site administrator to determine which types of SAML SSO options should appear on the login page. Use the check-boxes to select or deselect the SSO options. The RDS (Refined Data Solution) option will be replaced by the client identity provider.
SimpleSAML PHP SP source
The SimpleSAML PHP SP source is where to select the SP source that connects to Refined Training. This is the service provide to the library we are running. Typically how the Refined Training development team configures this is sufficient but at times it may need to be updated or set depending on specific customization requirements per client.
SAML username mapping
The SAML username mapping is the SAML attribute that is mapped, or matched, to the username in Refined Training. By default, this attribute is set to email but may need to be updated depending on what username field is being provided from the client identify provide to the Refined Training platform. Once the authentication method is operational please do not change this attribute or contact email@example.com before doing so.
Single log out
The single logout works the same way as the SSO, but in reverse and logs a user out of the Refined Training platform, the identity provider, and any other connected service providers at the same time. The user does not have to logout of platforms individually, but is automatically logged out from all platforms when clicking the “log out” button.
When the SAML authentication plugin is enabled, a button appears on the login page that allows the authentication via SAML. By entering an image path in the text box, the site administrator can specify another image. The suggested size is 614px x 30px.
SAML login description
The text entered into the SAML login description text box is where to specify a description text for the SAML image used on the button. This description displays as a mouse-over on the clients identity SAML login icon on the login page and can be used to provide directions for the end user.
SAML automatic login
When the SAML automatic login is enabled (the checkmark appears in the checkbox), the end user is automatically redirected to the SAML idP (identity provider) without showing any login form. This can be used when the site administrator would like the end user to be logged into the system whenever the user is logged into the LMS. The LMS therefore, would not display a login page, but instead the end user would be automatically sent to the LMS.
When the Hide Login is enabled (the checkmark appears in the checkbox), the end user will not see the traditional login fields for username and password. The end user will only see the SAML options available to sign with with an identity provider. Turning off the traditional login helps keep options to a minimum for the end user.
User data mapping
When using the client identity provider (idP) some user data, such as first name, surname, email address, will need to be mapped accordingly to the user profile in the Refined Training platform. In this section, user data mapping, the site administrator specifies the correspondence of their system data with the same data in Refined Training platform.
When using social media log in options available the data is already mapped in accordance to the information we have available from each source.