Third-party authentication add-on for SAML protocol. Customer guide. #################################################################### The identity federation standard Security Assertion Markup Language (SAML) 2.0 enables the secure exchange of user authentication data between web applications and identity service providers. When you use the SAML 2.0 protocol to enable single sign-on (SSO), security tokens containing assertions pass information about an end-user (principal) between a SAML authority - an identity provider (IdP), and a SAML consumer - a service provider (SP). In this case, your system will act as the IdP and the LMS will act as the SP. Integration requisites. ============================================================ - It is required to have your LMS site in a domain of your own. - Enterprise or performance subscription with the add-on third-party authentication enabled. Configuration steps. ============================================================ edunEXT publishes the metadata for the LMS service --------------------------------------------------- We have prepared an initial step of the configuration before sending this document to you. With this, we have activated the endpoint with the metadata for the SAML configuration. You will be able to find it at: .. code-block:: https:///auth/saml/metadata.xml edunEXT publishes the metadata for the LMS service --------------------------------------------------- We have prepared an initial step of the configuration before sending this document to you. With this, we have activated the endpoint with the metadata for the SAML configuration. You will be able to find it at: .. code-block:: https:///auth/saml/metadata.xml The Customer must publish the metadata for the Identity Provider Service ------------------------------------------------------------------------- You need to enable SAML for your domain using a provider such as Microsoft Active Directory Federation, Okta, Onelogin, Oracle Identity Federation, etc. Once your SAML is enabled, find the location of your metadata. You will need to send us this URL later. Configure the profile fields sent over the SAML assertion ------------------------------------------------------------------------- When you enable your SAML provider, you can configure what information from each user is shared with the service provider. For us to correctly configure the LMS service with the SSO, we need the following fields. 1. MANDATORY FIELDS: - Email Attribute - User ID Attribute (a unique identifier for each user, if not provided, the email would be used instead) 2. ADDITIONAL RECOMMENDED FIELDS: - Username Hint Attribute (this is a suggestion for when the user is first created. The user may be able to change it) - Full Name Attribute (in case this is not provided, the user will have to enter it). 3. OPTIONAL FIELDS: - First Name Attribute - Last Name Attribute Prepare a valid test user for eduNEXT ------------------------------------- Once you enable SAML, our support personnel will have to run some final configurations on our side. For this, we need to be able to test your provider. Please create a user for us. If we can create it ourselves, let us know how to. When filling the profile of the test user on your side please fill the complete profile as you would with one of your regular users. .. code-block:: yaml Email: support+organizationname@edunext.co Username: edunext_support_organizationname First name: fn_edunext organizationname Last name: ln_support organizationname Full name: n_edunext_support organizationname .. note:: The organization name is the record you select when creating a new course for your LMS site. .. image:: ../_assets/OIDC_configuration_orgname.png :width: 500px :align: center :alt: Account information We also kindly ask you not to delete this user. We will use it from time to time to solve support tickets that you might send us in regard to authentication. Also, we use it to test that your SSO is working correctly when we do updates to the underlying tech of our service. All set on your side -------------------- After you have completed steps 2, 3, and 4, send us the metadata URL and the credentials for the test user so that we can complete the SSO integration.