Set up a basic SAML authentication with Salesforce
Use Salesforce as identity provider (IdP) in your portal.
Availability: all customers
Contact your Customer Success Manager or the support team to add SAML SSO to your portal.
Salesforce provides Single Sign-On (SSO) capacity, so:
- users create a single set of credentials with Salesforce
- Salesforce lets users log in to many applications, including LearnUpon, with these credentials
- Salesforce keeps users' login details separate from their LearnUpon usage data
As an identity provider, Salesforce never "sees" or records what courses users take, or their course outcomes. The IdP only provides access to their LearnUpon account and does not send course data.
You can use Salesforce as an IdP only, without installing the Salesforce integration to synchronize data between the two platforms.
Note: If your organization does use the integration to synchonize data between Salesforce and LearnUpon, Salesforce does access learner data. This integration is distinct from using Salesforce as an identity provider. See Salesforce for LearnUpon: setup guide for admins.
This procedure has multiple steps to collect information, and enter that information in feature setups.
Prerequisites
Setting up Salesforce as an identity provider requires:
- SAML SSO turned on for your portal
- any custom user data fields set up on your portal
Note: the YYYY-MM-DD format is required for custom user data fields that contain dates. This format supports integrations for LearnUpon like SSO SAML, and services like batch user upload and API automations.
See:
Custom user data: set up custom fields
Access permissions
- Admins with full portal permissions: can set up the feature
The LearnUpon admin requires access to a Salesforce admin account with full permissions.
This feature is available in sub-portals.
Step 1: set up Salesforce as an identity provider (IdP)
This step happens in your Salesforce environment. Salesforce generates the certificate you use later in LearnUpon, to set up SAML in your portal.
- From Salesforce main navigation go to Setup (gear icon).
- From Setup, use Search to find and select Identity Provider.
- Select Enable Identity Provider.
- Select Save.
- Select Download Certificate to download the Self Signed Certificate with suffix CRT for later use.
Step 2: retrieve the ACS / Consumer URL from your portal
The ACS (Assertion Consumer Service)/Consumer URL tells the IdP where to redirect an authenticated user when they sign in. Your LearnUpon portal provides this URL.
- Log into your LearnUpon portal.
- From main navigation go to Settings > Integrations > Single Sign On - SAML.
- From SAML Integration copy Our SAML Entry Point URL, in format
https://yourportal.learnupon.com/saml/consumer
and save it for future use.
The following screenshot shows a sample portal interface with Our SAML Entry Point highlighted.
Step 3: create the SAML Connected App in Salesforce
This step happens in the Salesforce environment.
Note: You must provide contact details for an admin who can manage the SAML app in Salesforce. In case of errors, automated email notifications go to this admin.
- From Salesforce main navigation go to Setup (gear icon).
- From Setup, use Search to find and select App Manager.
- Select New Connected App.
The following screenshot shows Setup, with New Connected App highlighted.
- Enter a Connected App Name, like [Your Portal Name]_SAML.
- In Contact Email, enter the email address of the LearnUpon admin who manages the SAML connection.
- In Web App Settings section, select Enable SAML.
- In Entity Id, enter your full portal domain name, in format
yourportalname.learnupon.com
(no https://). - In ACS URL, paste the Our SAML Entry Point URL you copied from the portal in Step 2.
- In Subject Type, select the identifier to use in the assertion Name ID field.
LearnUpon recommends using the default Username setting. - In Name ID Format, select the name format you use on your portal. For example, for Email, select
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
. - In IdP Certificate, select Default IdP Certificate to associate the certificate that you created in Step 1 with this SAML instance.
- In Signing Algorithm for SAML Messages, select one of SHA1 or SHA256.
- Save to finish the SAML Connected App.
- From the connected apps Summary page, select Manage.
- From IdP-Initiated Login URL, copy the URL provided by this Salesforce instance, and save it for later. The URL looks something like
https://lup2-dev-ed.my.salesforce.com/idp/login?app=0sp5Y000000Cb3H
The following screenshot shows the Summary page in Salesforce's Connected App Manager, with Manage highlighted.
Step 4: give Salesforce user profiles permissions for the new SAML Connected App
Select the Salesforce user profiles that need access to the SAML service. The user profiles that require access to SAML depends on how your organization sets up Salesforce.
- From the Connected Apps area for the SAML App you created, find Profiles.
- Select Manage Profiles.
- Select the user profiles that need access to the new SAML app.
- Save to finish.
The following screenshot shows selected user profiles in Salesforce before saving changes.
Step 5: configure SAML in the LearnUpon portal
This step happens in your LearnUpon portal.
From main navigation go to Settings > Integrations > Single Sign On - SAML > General Settings.
Follow the steps in Set up SAML SSO for your portal.
You can use the suggested default values for most of the settings described in Complete General Settings.
For the fields shown, enter the following values:
- SAML Token POST param name: SAMLResponse
- Identify Provider Location (IDP SSO Target URL): paste IdP-Initiated Login URL from Salesforce, copied in step 3
Step 6: turn the certificate into a fingerprint to upload to the portal
This 2-part step requires an online SAML calculator to generate a fingerprint from your certificate. You enter the fingerprint in your LearnUpon portal as part of the SSO setup.
Tip: Use an online tool like samltool.com to turn an X.509 certificate from your IdP provider into a fingerprint.
Create a fingerprint
- In a text editor, open the CRT file downloaded from Salesforce in Step 1.
- Select and copy the full text of the certificate, including ---BEGIN CERTIFICATE--- and ---END CERTIFICATE--- text.
- Paste the certificate text into the online tool.
- Select the algorithm you used in Salesforce in Step 3, SHA1 or SHA256, to generate a fingerprint.
The following screenshot shows a sample certificate text selected, with some lines obscured, before copying into a SAML calculator.
Upload the fingerprint to the portal
- From main navigation go to Settings > Integrations > Single Sign On - SAML > General Settings.
- Select Certificate fingerprints.
- Follow the steps in Set up SAML SSO for your portal for Add X.509 fingerprints.
Step 7: final check
Create new LearnUpon accounts automatically
With SSO, you can optionally create accounts for new users in LearnUpon automatically, when users log in to LearnUpon using their Salesforce credentials.
- Log in to your LearnUpon portal.
- From main navigation go to Settings > Integrations > Single Sign On - SAML > User & Group Settings.
- Confirm Create Users if they do not exist in your portal is turned on.
Test the login for access to LearnUpon
- In a new browser tab, enter the IdP-Initiated Login URL you copied from Salesforce in Step 3. The URL looks something like
https://lup2-dev-ed.my.salesforce.com/idp/login?app=0sp5Y000000Cb3H
- Confirm the login process is successful: if you are already logged in with your Salesforce credentials, you should have immediate access to your LearnUpon portal.
Next steps with SAML SSO
See SAML SSO: send default and custom user data to LearnUpon about setting up additional customization for learners, to improve their learning experience.
See: