Integrate Azure SAML SSO with LearnUpon

Use Azure as identity provider (IdP) for a seamless login for learners

Microsoft Azure is a robust cloud computing solution.

Availability: all customers

Azure's integration provides Single Sign-On (SSO) capacity:

• Users create a single set of credentials with MS Azure
• Azure lets users log in to many applications, including LearnUpon, with these credentials
• Azure keeps users' login details separate from their LearnUpon usage data

Azure never "sees" or records what courses users take, or their course outcomes. The Azure integration only provides access to their LearnUpon account. Adding Azure as a login option means LearnUpon admins can manage users in a centralized location.

Note: LearnUpon does not support Azure AD B2C (business to consumer) OIDC. Microsoft is discontinuing support for this product.

Access permissions

• Admins with full portal permissions: can set up the feature 

The admin setting up the integration requires access to an Azure admin account.

Prerequisites

To set up Azure SAML SSO you need:

• SAML SSO enabled for your portal
• any related custom user data fields set up in LearnUpon

Note: the YYYY-MM-DD format is required for custom user data fields that contain dates. This format supports integrations for LearnUpon like SSO SAML, and services like batch user upload and API automations.

See:

• Set up SAML SSO for your portal
• Custom user data: set up custom fields

Setting up Azure

From your Azure Portal Dashboard:

• In the top search bar, search for Enterprise Applications
   
  • Or, select Enterprise Applications from the left-hand menu
• Select New Application
   
• In the search bar, enter LearnUpon
• Select LearnUpon App
• Select Add app button

On the Enterprise Application > LearnUpon - Overview page select Set up single sign on:

• For Single Sign On Type select SAML 
• in 1. Basic SAML Configuration select Edit

  • Set Identifier to:

    https://<yourportal.learnupon.com

  • Set Reply URL to:

    <https://yourportal.learnupon.com/saml/consumer

  • Set Sign on URL, Relay State, and Logout URL to a blank field
  • Select Save
• in 3. SAML Signing Certificate select Edit 
  • Set Signing Option to Sign SAML Assertion
  • Set Signing Algorithm to SHA-1 or SHA-256
  • This page also contains the X509 Certificate Thumbprint/ Fingerprint. Copy the Thumbprint/Fingerprint to a safe place for future use. 
    • The Thumbprint will be added to your LearnUpon settings in a later step
  • Select Save

On the Enterprise Applications > LearnUpon - Properties page:

• User Access URL directs users directly to the LearnUpon Application after logging in without any further clicks. 
  • Copy the User Access URL to a safe  place for future use. This URL will be added to your LearnUpon settings in a later step
• User Assignment Required? setting specifies whether any user can access the LearnUpon Application or if they must first be assigned in the Users and Groups settings

Setting up LearnUpon

Ensure you have the Thumbprint/Fingerprint and User access URL ready.

See the tooltips for additional details, as required.

1. From main navigation go to Settings > Integrations > Single Sign On - SAML.
2. Select General Settings.
3. From Settings, make the following selections:
   • Enabled?
   • Version: select 2.0
   • Skip Conditions: select No
   • SAML Token POST param name field: enter the default value of SAMLResponse
   • Name Identifier Format: for portals using email addresses as a portal identifier enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress 
   • Disable portal login page? Turn on if you require all learners to use their Azure SAML Single Sign On User access URL
   • Identify Provider Location (IDP SSO Target URL): enter your saved User access URL
   • Unauthorized URL and Sign out URL: set to default, unless you have specific URLs to redirect learners for these events
4. In Certificate fingerprints, select Manage fingerprints.
5. In Manage fingerprints:
   • In Fingerprint Value, enter your saved Thumbprint/ Fingerprint
   • select this entry as Primary
   • Save to finish
6. In General Settings, select Save to finish your setup.
7. Test your Azure SAML Single Sign On process to confirm it works as expected:
   • If you disabled the portal login page, visit your portal URL: it should direct you automatically to your Azure SSO Target URL login page
   • If you didn’t disable the login page, visit your Azure SSO User Access URL to confirm you are forwarded to your LearnUpon portal when you log in via Azure SAML SSO

Groups

Note: LearnUpon's Group Sync feature works in a SAML SSO environment only. It does not work in a native Azure Cloud setting: Microsoft limits Azure to send the group GUID only, instead of the name/title of the group.

Hybrid environment

For a hybrid Azure/Active Directory (Local) environment, you can configure Azure to allow the pass through of the Group name/title.

See Configure group claims for applications by using Microsoft Entra ID

LearnUpon is not responsible for content outside this website.

Azure Cloud-only environment

For an Azure Cloud-only instance, you need to configure the following settings:

• In Attributes & Claims, use Add Group claim option to create a Group Claim
• Set Which groups associated with the user should be returned in the claim? to Groups assigned to the application
• Set Source attribute setting to Cloud-only group display names
• Assign any groups that need to pass in the assertion to the SAML application instance

Next steps with SAML SSO

See:

• SAML SSO: send default and custom user data to LearnUpon about setting up additional customization for learners, to improve their learning experience
• SAML SSO: set up redirects for LearnUpon URLs to make the path to courses and the catalog easy for learners

See:

• Knowledge base category: Integrations