Use SAML assertions to send custom data and groups data to LearnUpon
Set up SAML attributes to send field or group values when a learner logs in through Single Sign-On (SSO). LearnUpon can apply those values to the learner’s account automatically.
Availability: all customers
Customers who use identity providers (IdPs) such as OneLogin, G Suite, Salesforce, MS Azure, MS ADFS and Okta can sign in their users automatically using SAML SSO.
When you use an IdP for logins, you can share additional learner details through the identity provider, to personalize the learner's experience. Learners see their names and enrollments ready for them as soon as they log in.
Sample uses
Some examples of automated personalization through SAML:
- set First Name and Last Name when you create a new learner via SAML
- update a learner’s First Name and Last Name when their name changes
- enroll learners into a LearnUpon group based on a matching group in your IdP
- enroll learners into a LearnUpon group or course based on values in your IdP
This article uses Okta and Microsoft Azure as sample IdPs. Consult your IdP’s complete documentation for full guidance about setting up integrations.
Access permissions
- Admins with full portal permissions: can set up the feature
SAML SSO is available in sub-portals. If you use sub-portals, you set SAML configuration separately for each portal.
Prerequisites
To extend SAML assertions you need:
- SAML SSO set up in your portal, including the relevant Users & Groups parameters
- custom user data fields set up in LearnUpon, and are editable
- custom user data fields set up in your IdP to match those in LearnUpon
Tip: you can make custom user data fields read-only, aka non-editable, on request. Contact the support team to discuss.
See:
- Set up SAML SSO for your portal > Set up LearnUpon users and groups parameters
- Custom user data: set up custom fields
Note: The attribute Name value you send in the SAML assertion must match exactly to the corresponding Identifier Format in your portal's Single Sign On - SAML > User & Group Settings. The values are case sensitive.
Okta example: synchronize first and last names
In your portal
- From main navigation go to Settings > Integrations > Single Sign On - SAML > User & Group Settings.
- In User Settings, set the Identifier Formats for the First Name and Last Name fields. These field formats must match the Attribute Name formats in Okta.
The following screenshot shows User Settings with Identifier Format fields highlighted.
In Okta
- From main navigation go to Applications > Your SAML Application > General > SAML Settings > Attribute Statements.
- Add the FirstName and LastName fields. The Name values must match the identifier formats in your portal’s Identifier Format settings.
The following screenshot shows sample Attribute Statements in Okta.
Example matching FirstName and LastName Attribute Names in the SAML assertion received from Okta:
<saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
saml2:AttributeValueTest</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
saml2:AttributeValueUser</saml2:AttributeValue>
</saml2:Attribute>
Confirm the assertion is working
- Log into your portal using an Okta SAML test account.
- Select User Settings, aka the initials or photo icon to access My Profile.
- Confirm the First Name and Last Name fields show the correct learner names.
MS Azure example: synchronize first and last names
You can specify any Name you need in the name field in MS Azure. This example shows the standard http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
definition.
In Azure
- From main navigation go to Azure Active Directory > Enterprise Applications > LearnUpon > Single sign-on.
- From Attributes & Claims select Edit.
- Select Add new claim to add user.surname.
- Select the associated Source attribute.
- Save to finish.
The following screenshot shows the MS Azure interface with Add new claim highlighted.
The following screenshot shows Manage claim with Name, Source attribute and Save highlighted.
- Repeat the same steps to add user.givenname.
- Confirm the two (2) claims appear in the Attributes and Claims area.
- Copy the Claim Names to a safe place for future use.
The following screenshot shows 2 claims listed in Additional Claims.
In your portal
- From main navigation go to Settings > Integrations > Single Sign On - SAML > User & Group Settings.
- In the matching Identifier Format fields, enter Claim Name for both claims from Azure.
- Save to finish.
The following screenshot shows User & Group Settings > Identifier Format fields for this example.
Confirm the assertion is working
- Log into your portal using an Azure SAML test account.
- Select User Settings, aka the initials or photo icon to access My Profile.
- Confirm the First Name and Last Name fields show the correct learner names.
Example SAML assertion Attribute Names with the matching givenname and surname settings received from MS Azure.
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>Test</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>User</AttributeValue>
</Attribute>
Okta example: synchronize custom user data with your portal
This example uses a custom field for Department.
Note: The attribute Name value you send in the SAML assertion must match exactly to the corresponding Identifier Format setting in your portal's Single Sign On - SAML > User & Group Settings field. The values are case sensitive.
In Okta
- From main navigation go to Applications > Your SAML Application > General > SAML Settings > Attribute Statements.
- Select Add Another to enter an additional Name and Value: in this example, Department and user.department.
The following screenshot shows Attribute Statements in Okta, with the Department and user.department entries highlighted.
In your portal
- From main navigation go to Settings > Integrations > Single Sign On - SAML > User & Group Settings.
- In Custom User Data Settings, confirm the custom user data field you set up in Okta is available in LearnUpon. In this example, Department Identifier Format has the Name value Department.
- Save to finish.
The following screenshot shows Department as the Identifier format.
Example SAML Assertion Attribute Name that matches the Department Identifier Format in the portal settings:
<saml2:Attribute Name="Department" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>IT</saml2:AttributeValue>
</saml2:Attribute>
MS Azure example: synchronize custom user data with your portal
This example uses a custom field for Department, with the standard definition
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department
.
In Azure
- From main navigation go to Azure Active Directory > Enterprise Applications > LearnUpon > Single sign-on.
- In Attributes & Claims, select Edit.
- Select Add new claim to enter the user.deparment claim, with the correct Source attribute.
- Copy the claim Name to a safe place for future use.
- Confirm the claim appears listed in Additional claims.
The following screenshot shows Manage claim in MS Azure with the Name, Source attribute and Save highlighted.
In your portal
- From main navigation go to Settings > Integrations > Single Sign On - SAML > User & Group Settings.
- In the matching Identifier Format field, enter the claim Name from MS Azure.
- Save to finish.
The following screenshot shows an Identifier Format with standard definition for department.
Confirm the assertion is working
- Log into your portal using an Okta SAML test account.
- Select User Settings, aka the initials or photo icon to access My Profile.
- Confirm the Department field shows the correct Department value for the learner's account.
Example SAML assertion including the matching Attribute Name:
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department">
<AttributeValue>Human Resources</AttributeValue>
</Attribute>
Okta example: synchronize groups with your portal
In your portal: SAML settings
- From main navigation go to Settings > Integrations > Single Sign On - SAML > User & Group Settings.
- In Group Settings, turn on Enable Group Synchronisation.
- For Group Identifier Format, enter a value.
- Copy the value to a safe place for future use.
- Save to finish.
The following screenshot shows User & Group Settings > Group Settings as described.
In your portal: Groups settings
Create new groups, or review your existing groups to confirm Sync group with SAML SSO is turned on, as shown in the following screenshot.
See Create groups, and assign users to groups > Add SAML SSO synchronization to a group.
In Okta
- From main navigation go to Applications > Your SAML Application > General > SAML Settings > Group Attribute Statements.
- In the Name field, enter the value from the Group Identifier Format in your portal. It must match exactly - these fields are case sensitive.
- (Optional) to ensure all groups in Okta are sent in the assertion: in the Matches regex filter enter .* (period + asterisk).
- Save to finish.
Confirm the assertion is working
- Log into your portal as an admin.
- From main navigation go to Users.
- Search for and select an Okta test learner account.
- Select Groups, to confirm the learner is now a member of the expected Group(s).
Example SAML assertion with the Groups Attribute Name matching the Group Identifier Format setting and a full list of all Okta Groups as AttributeValues:
<saml2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue>Everyone</saml2:AttributeValue>
<saml2:AttributeValue>Human Resources</saml2:AttributeValue>
</saml2:Attribute>
MS Azure and group synchronization
In Azure
- From main navigation select Microsoft Entra ID > Manage > Enterprise applications.
- Select your LearnUpon SAML SSO instance.
- Select Manage > Single sign-on.
- From Attributes & Claims select Edit.
- If a Group claim isn’t already present click the Add a group claim.
- For an Azure cloud-only instance:
- select the Groups assigned to the application.
- from the Source attribute drop down, select Cloud-only group display names
- For a Hybrid Azure Cloud / On-Premise configuration:
- select All Groups
- review the following Microsoft articles to confirm the correct Source attribute setting:
https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui#configuring-groups-optional-claims
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims
- Save to finish.
Confirm the assertion is working
- Log into your portal using an Azure SAML test account.
- From main navigation go to Users.
- Search for and select the Azure test learner account.
- Select Groups, to confirm the learner is now a member of the expected Group(s).
Example SAML assertion with the Groups Attribute Name matching the Group Identifier Format setting and a full list of all Okta Groups as AttributeValue.
<saml2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml2:AttributeValue>Everyone</saml2:AttributeValue> <saml2:AttributeValue>Quality assurance</saml2:AttributeValue> </saml2:Attribute>
Reference documentation
LearnUpon is not responsible for content off this website.