Configuring Single Sign-On (SSO) with a SAML 2.0 Identity Provider (IdP)
BrainCert supports SAML 2.0 as a SSO method that can be configured to your BrainCert dashboard. With BrainCert's SAML 2.0 implementation, your LMS application will act as a Service Provider (SP) that users request to log in to via the the Identity Provider (IdP).
Here are some of the technical details to understand the high-level concept:
A Service Provider (SP) is the entity providing the service, typically in the form of an application.
An Identity Provider (IdP) is the entity providing the identities, including the ability to authenticate a user. The Identity Provider typically also contains the user profile: additional information about the user such as first name, last name, job code, phone number, address, and so on. Depending on the application, some service providers may require a very simple profile (username, email), while others may require a richer set of user data (job code, department, address, location, manager, and so on).
A SAML Request, also known as an authentication request, is generated by the Service Provider to "request" an authentication.
A SAML Response is generated by the Identity Provider. It contains the actual assertion of the authenticated user. In addition, a SAML Response may contain additional information, such as user profile information and group/role information, depending on what the Service Provider can support.
A *Service Provider Initiated (SP-initiated) *sign-in describes the SAML sign-in flow when initiated by the Service Provider. This is typically triggered when the end user tries to access a resource or sign in directly on the Service Provider side, such as when the browser tries to access a protected resource on the Service Provider side.
An *Identity Provider Initiated (IdP-initiated) *sign-in describes the SAML sign-in flow initiated by the Identity Provider. Instead of the SAML flow being triggered by a redirection from the Service Provider, in this flow the Identity Provider initiates a SAML Response that is redirected to the Service Provider to assert the user's identity.
Getting Started
The prerequisite to get started is a SAML 2.0 identity Provider to handle the sign in process. BrainCert supports Identity Providers with SAML 2.0 support such as Onelogin, Okta, Google apps, Azure Active Directory, etc.
Note that irrespective of the Identity Provider you choose, the following attributes are common:
- A unique identifier for users
- First & Last name of users
- Email address of users
Enabling SSO with SAML 2.0
Here is what you need to get started with enabling SSO with SAML 2.0.
- The version of your SAML Identity provider (IdP). BrainCert currently supports SAML version 2.0.
- The URL of your SAML IdP.
- URL of IdP where users have to be redirected to sign in/sign out.
- The fingerprint of the SAML certificate used by the IdP to sign the SAML assertions sent to BrainCert.
Step-1: Enable SAML SSO for your BrainCert domain
Login to BrainCert as Administrator and navigate to Accounts & Settings > Extensions. ** Enable the SAML 2.0 based Single Sign On (SSO)**.
Once enabled, Single-Sign-On (SSO) configuration will be made available as mentioned below in Step-2.
Step-2: Navigate to Accounts & Settings > User Registration and select Single-Sign-On (SSO) and fill in the corresponding fields.
- ** SSO integration Type**: Currently BrainCert only supports SAML 2.0. Select SAML 2.0 from the dropdown list.
Step-3: Select IdP & fill in the details in the corresponding fields.
- Entity ID:
- SSO Service URL: Enter the URL of your IdP provider
- SSO Logout Serice URL: Enter the logout URL of the SSO.
- *X.509 Certificate *:
Once you enter these information, click Save and move on to Profile Field Mapping.
Step-4: Profile field mapping
- First Name: First name of the user
- Last Name: First name of the user
- Email: Email id of the user
- User Name: Enter the user's user name
Step-5: Mapping the Groups
- Assign User Groups
Domain Owners/Super Admins can create different user groups and assign them for users who login to your LMS from a SAML IdP provider provider by default. You can select the user groups from the dropdown menu. Select the Add assigned groups with each login option, if you want people who login to BrainCert from a SAML Idp provider to be assigned to the defined groups with each login.
- Assign User Types
Domain Owners/Super Admins can assign people who login to your LMS from a SAML IdP provider as Learner, Teacher or Super Admin.
Note that by default the domain owner has Super Admin privileges and they can manually assign Super Admin access to people of their choice. For these people to retain their admin access once they login to your LMS from a SAML Idp provider, the domain owner has to check the ** Ignore the above Group assignment for ‘Super Admin’ user type** option. If left unchecked, they will only be assigned the default user group/type.
Once you are done with Group Mapping click on Save.
Congrats, now you have successfully configured your LMS domain to provide SSO services.