Log in seamlessly through your identity provider
LearnUpon uses SAML to let customers who use identity providers (IdPs) like OneLogin, G Suite, Salesforce or Microsoft Active Directory/ADFS, to sign in their users automatically.
Availability: all customers
Access to additional portal languages depends on your LearnUpon plan
SAML (Security Assertion Markup Language) enables a user, authenticated on one system, to sign in to another system automatically, without typing a username and password. This process is known as Single Sign-On (SSO), and SAML is the most common form of SSO.
LearnUpon supports Identity Provider-initiated HTTP-POST SAML v2.0 profile.
Note: LearnUpon supports a single SAML configuration per portal.
When you set up SAML, you must enter at least 1 fingerprint for a X.509 public certificate. You download the certificate from your IdP. You can enter as many fingerprints as you need. If you enter more fingerprints, you can set 1 as your primary fingerprint for SAML verification.
Tip: Use an online tool like samltool.com to turn an X.509 certificate from your IdP provider into a fingerprint.
Access permissions
- admins with full portal permissions: can set up SAML SSO
This feature is available in sub-portals. If you use sub-portals, you set SAML configuration separately for each portal.
Prerequisites
- SAML SSO turned on for your portal
- any related custom user data fields set up in LearnUpon
Note: the YYYY-MM-DD format is required for custom user data fields that contain dates. This format supports integrations for LearnUpon like SSO SAML, and services like batch user upload and API automations.
See:
View SAML entry points
- From main navigation go to Settings > Integrations > Single Sign On - SAML. The SAML SSO page displays:
SAML Entry Point/ Consumer URL/ ACS URL in format:
https://yourportalname.learnupon.com/saml/consumer
SAML Metadata URL in format:
https://yourportalname.learnupon.com/saml/metadata
The following screenshot shows SAML Integration, with sample domain names obscured.
Complete general settings
On this page, turning on SAML in Settings makes the SAML Hardening options available.
Saving Settings and Hardening options makes Certificate fingerprints available.
Note: SP-initiated SAML, aka service provider-initiated SAML, requires the hardening option to limit the SAML target URL to the relevant subdomain.
- From main navigation go to Settings > Integrations > Single Sign On - SAML > General Settings.
- From Settings, make the following entries:
- Enabled?: select to activate SAML for your portal
- Version: select 2.0
- Skip Condition: select No (recommended) or Yes
- SAML Token POST param name: enter the parameter name sent to your portal's consumer URL that contains the SAML assertion. This field is case-sensitive
- Name Identifier Format: define the format in your SAML assertion, where LearnUpon can find the user's identifer
- Identity Provider Location (IDP SSO Target URL): the destination URL where LearnUpon sends users if they select the icon you upload on the portal login screen
- Disable portal login page: (optional) to redirect users to the IDP SSO URL
- Unauthorized URL: destination URL for users who aren't authorized, based on the SAML assertion
- Sign Out URL: destination URL for users who select Sign Out on the portal
- Enable SP-initiated SAML?: (optional) lets you redirect learners from internal pages, iCals and emails
- Save to finish this section.
When you select Disable portal login page in the General Settings, you can access the portal login page by adding users/sign_in?no_sso=true
to the standard portal URL. For example:
yourportalname.learnupon.com/users/sign_in?no_sso=true
Note: when you log in through SSO, you are authenticated for a single portal, rather than all your portals. The portal switcher in your top navigation bar shows only the portals where you are already logged in.
To retain access to all your portals through the portal switcher, log in through the LearnUpon login page, by adding users/sign_in?no_sso=true
suffix to your portal URL.
The following screenshot shows the first part of the SAML SSO > General Settings page, with the sample domain name obscured.
Set hardening options
When you turn on Enabled for SAML, Hardening options become available.
Hardening your SAML configuration refers to limiting the SAML issuer to your subdomain
mydomainname.learnupon.com.
Note: SP-initiated SAML, aka service provider-initiated SAML, requires the hardening option to limit the SAML target URL to the relevant subdomain.
If you leave this option deactivated, you allow SAML assertions issued by other LearnUpon domains.
When you change any Hardening options, LearnUpon saves your changes immediately and refreshes the page.
- From main navigation go to Settings > Integrations > Single Sign On - SAML > General Settings.
- From Limit SAML issuer to your subdomain, select Activate.
- In the Activate subdomain requirement? dialog that opens, select Activate to confirm.
Limit SAML issuer to your subdomain displays an Active status.
By default, LearnUpon sets the other options for signed assertions, skipping destinations and skipping subject confirmation, at the highest level of security for your SAML setup.
Changing these settings removes those security options. Check with your IT team before making changes.
- From main navigation go to Settings > Integrations > Single Sign On - SAML > General Settings.
- From Hardening options:
- for Sign SAML assertion, select Deactivate as required
- for Check destination, select Activate as required
- for Check subject confirmation, select Activate as required
- for Sign Authn Requests, select Activate as required
The following screenshot shows Hardening options with default settings for a new portal that uses SP-initiated SAML.
Turn the certificate into a fingerprint to upload to the portal
This 2-part step requires an online SAML calculator to generate a fingerprint from your certificate. You enter the fingerprint in your LearnUpon portal as part of the SSO setup.
Create a fingerprint
- In a text editor, open the CRT file downloaded from your IdP.
- Select and copy the full text of the certificate, including ---BEGIN CERTIFICATE--- and ---END CERTIFICATE--- text.
- Paste the certificate text into the online tool.
- Select the algorithm you used in the IdP, SHA1 or SHA256, to generate a fingerprint.
The following screenshot shows a sample certificate text selected, with some lines obscured, before copying into a SAML calculator.
Add a X.509 fingerprint to the portal
Saving Settings and Hardening options makes Certificate fingerprints settings available onscreen.
You can record and manage multiple fingerprints for X.509 public certificates. LearnUpon accepts SHA1 and SHA256 fingerprints. You must enter at least 1 fingerprint to use SAML SSO.
If you enter more fingerprints, you can set 1 fingerprint as primary. LearnUpon uses the primary fingerprint for 2-way SSO login from the login page.
- From main navigation go to Settings > Integrations > Single Sign On - SAML > General Settings.
- Select Manage fingerprints to open the fingerprint dialog.
- In Fingerprint Value, enter your X.509 certificate fingerprint.
- Select Add a fingerprint to add more than 1 fingerprint as required.
- If required select 1 fingerprint as Primary.
- Save to finish.
The following screenshot shows the Manage finger prints dialog with 2 fingerprints, with the full text obscured.
Add logo
Add a provider logo, that appears on the Login Page under Sign In.
When users select the logo at login, the logo directs users to the Identity Provider Location (IDP SSO URL) defined in your SAML SSO > General Settings.
- Select Upload Logo to add your identity provider's logo to the LearnUpon login page.
- Select Save to finish.
Set up LearnUpon users and groups parameters
When you set up SAML SSO, you have the option to use data provided by your IdP to
- create new users if they don't already exist
- add any language parameter, so learners see the portal in their preferred language from first login
- synchronize your groups
The language codes LearnUpon uses are available from the API guide.
- From your LearnUpon main navigation menu go to Settings > Integrations > Single Sign On - SAML.
- Select Users & Groups Settings.
- From User Settings you can:
- select Create Users if they do not exist in your portal on a valid assertion
- provide parameter Identifier Formats for names and Custom User Data
- provide parameter Identifier Formats for portal languages
- From Group Settings, you can:
- select Enable Group Synchronization
- provide parameter Identifier Formats for Groups
- After updating any of these settings, select Save to finish.
The following screenshot shows a sample User & Group Settings, for a portal that uses association memberships. Group synchronization is also turned on.
The following screenshot shows sample Custom User Data Settings for a portal.
Next steps with SAML SSO
See SAML SSO: send default and custom user data to LearnUpon about setting up additional customization for learners, to improve their learning experience.
See: