Articles in this section
Category / Section

Configuring Single Sign-On (SSO) with a SAML 2.0 Identity Provider (IdP)

Published:
4 mins read

Single sign-on (SSO) is a highly user-friendly authentication scheme that allows users to log in & access multiple platforms with a single ID and password. It is a highly time-saving feature and BrainCert supports SSO.

BrainCert supports SAML 2.0 as an SSO method that can be configured to your BrainCert dashboard. With BrainCert's SAML 2.0 implementation, your LMS application will act as a Service Provider (SP) that users request to log in to via the Identity Provider (IdP).


Here are some of the technical details to understand the high-level concept:

  • Service Provider (SP) is the entity providing the service, typically in the form of an application.
  • An Identity Provider (IdP) is the entity providing the identities, including the ability to authenticate a user. The Identity Provider typically also contains the user profile: additional information about the user such as first name, last name, job code, phone number, address, and so on. Depending on the application, some service providers may require a very simple profile (username, email), while others may require a richer set of user data (job code, department, address, location, manager, and so on).
  • A SAML Request, also known as an authentication request, is generated by the Service Provider to "request" an authentication.
  • A SAML Response is generated by the Identity Provider. It contains the actual assertion of the authenticated user. In addition, a SAML Response may contain additional information, such as user profile information and group/role information, depending on what the Service Provider can support.
  • A Service Provider-initiated (SP-initiated) sign-in describes the SAML sign-in flow when initiated by the Service Provider. This is typically triggered when the end user tries to access a resource or sign in directly on the Service Provider side, such as when the browser tries to access a protected resource on the Service Provider side.
  • An Identity Provider Initiated (IdP-initiated) sign-in describes the SAML sign-in flow initiated by the Identity Provider. Instead of the SAML flow being triggered by a redirection from the Service Provider, in this flow, the Identity Provider initiates a SAML Response that is redirected to the Service Provider to assert the user's identity.

Getting Started

The prerequisite to get started is a SAML 2.0 identity Provider to handle the sign-in process. BrainCert supports Identity Providers with SAML 2.0 support such as OneLogin, Okta, Google apps, Azure Active Directory, etc.

Note that irrespective of the Identity Provider you choose, the following attributes are common:

  • A unique identifier for users
  • First and last names of users
  • Email address of users


Enabling SSO with SAML 2.0

Here is what you need to get started with enabling SSO with SAML 2.0.

  • The version of your SAML Identity provider (IdP). BrainCert currently supports SAML version 2.0.
  • The URL of your SAML IdP.
  • URL of IdP where users have to be redirected to sign in/sign out.
  • The fingerprint of the SAML certificate used by the IdP to sign the SAML assertions sent to BrainCert.


Step 1:

Enable SAML SSO for your BrainCert domain

Login to BrainCert as Administrator navigate to 'Global Settings' and click on 'Extensions'. 

1.png


Step 2:

Enable 'SAML 2.0 based Single Sign On (SSO)' and 'Save' the changes.
aa9a65f2-6630-4fcf-8830-9320c6a6d1cf.png

Step 3:

Navigate to 'Global Settings', open 'User Registration' select 'Single-Sign-On (SSO)', and fill in the corresponding fields.
1.png
  1. SSO integration Type: Currently BrainCert only supports SAML 2.0. Select SAML 2.0 from the dropdown list.



Step 4: Select IdP and Fill in the Details in the Corresponding Fields

2.png
  • Entity ID:
  • SSO Service URL: Enter the URL of your IDP provider
  • SSO Logout Serice URL: Enter the logout URL of the SSO.
  • X.509 Certificate

Once you enter this information, click 'Save' and move on to Profile Field Mapping.



Step 5: Profile Field Mapping

3.png
  • First Name: First name of the user
  • Last Name: First name of the user
  • Email: Email ID of the user
  • User Name: Enter the user's user name



Step 6: Mapping the Groups

  • Assign User Groups
4.pngDomain Owners/Super Admins can create different user groups and assign them to users who log in to your LMS from a SAML IDP provider by default. You can select the user groups from the dropdown menu. Select the 'Add assigned groups with each login' option, if you want people who log in to BrainCert from a SAML Idp provider to be assigned to the defined groups with each login.

  • Assign User Types

Domain Owners/Super Admins can assign people who log in to your LMS from a SAML IDP provider as Learners, Teachers, or Super Admin.

Note that by default the domain owner has Super Admin privileges and they can manually assign Super Admin access to people of their choice. For these people to retain their admin access once they log into your LMS from a SAML IDP provider, the domain owner has to check the 'Ignore the above Group assignment for the ‘Super Admin’ user type' option. If left unchecked, they will only be assigned the default user group/type.

5.png

Once you are done with Group Mapping click on 'Save'.

Congrats, now you have successfully configured your LMS domain to provide SSO services.

Was this article useful?
Like
Dislike
Help us improve this page
Please provide feedback or comments