iLMS SSO: Single Sign-On Setup with SAML

Overview of SAML Settings in iLMS

 The SAML settings section in the iLMS will require information from your SAML configuration. The information needed in the iLMS configuration should be available from your SAML implementation as well. Hover over Settings in the administrator dashboard. 


Download Metadata from iLMS

Click on SAML Expand the service provider section and click the click here download link to receive the metadata. 


Service Provider

 The automatically populated information in this section may be required by your identity provider to configure Single Sign-on. 


Identity Provider - Issuer

In the Issuer section, enter the corresponding information from your identity provider to configure SSO. 

or

Select "Import Metadata" to import the Metadata from the Identity-Provider you are using and the data will populate automatically.

  • Sign-in page URL
    This  will be used to redirect the user to login again if the iLMS doesn't receive a SAML token with the request. 
  • Verification Certificate 
    Allows your organization to upload the security certificate provided by your Identity provider.
    Note: This must be in .cer format.
  • Sign-out page URL
     will close the Learner Center window upon logout and redirect the user to your organization's login page if specified, or redirect the user to any other specific URL.
  • Change Password URL
     will be associated with the Change Password link in User Profile page in the Learner Center.

User Identifier

Enter the primary identifier for your learners Email ID field. By default this is the NameID element, but optionally can be any other standard attribute element.
If your organization has set Employee ID as unique identifier in iLMS, this will display Employee ID in place of Email ID
Unique ID for iLMS can be changed here: iLMS Fields and Unique Identifier


Just-in-Time User Provisioning with SAML

  • The Create Un-recognized User Account checkbox will allow the system to create a user that is not registered in the iLMS at the time of Single Sign-on. 
  • SAML Attributes are then matched to the user profile fields. The first five are the default values for created or updated user profiles and must have matching attributes assigned from the IDP. 
  • A Default Value is added to any non-mandatory field that is left blank in the SAML token. 
  • Predefined ADFS 2.0 attributes are available from the drop down on the right for added convenience, but if the desired attribute name is not listed, you may type the correct input.
  • Fields marked with an asterisk (*) are  mandatory fields for registering a user  and iLMS allows further profile fields to be  defined. To add/remove fields see instructions here: iLMS Fields and Unique Identifier

Business Rules 

  • Create Un-Recognized Regions, Divisions, and Departments
    If Checked, this will create new Regions, Divisions, and Departments that do not already exist at the time of Single Sign-on if listed in a user profile.
  • Update User Profile During Sign-In
    If enabled this will  update data in the user profile upon each Sign-on. 
  • Update Blank Values for Non Mandatory Fields
     This allows populated non-mandatory fields to be overwritten with blanks if the profile field(s) in the SAML token is blank upon Sign-On
  • Send Error Notification Email
    This allows your organization to specify an email address (usually a distro) that will receive error logs each time a user encounters an issue signing in to the iLMS via SSO. This log includes data sent in the SAML token along with the error message received by the user.
Note: a log will only be produced if the user gets far enough in the process that the request hits our system.
Note: If SSO is implemented. We recommend updating the access URL in the email communications sent to users with the SSO URL.
Editing Email Templates
If using LDAP for provisioning, there's an option under the settings there to automatically use the SSO sign-in URL.