SAML Technology for SSO

iSpring Learn LMS supports SSO via SAML, a process that allows users to authenticate themselves through an external Identity Provider rather than obtaining and using a separate username and password handled by iSpring Learn LMS.

The Identity Provider can be:

  • LDAP – great for enterprise customers that handle employee database using LDAP protocol.

  • Active Directory (AD) – great for companies that handle users using Windows AD.

  • Facebook – used by companies with high-level social communication.

  • You own website that stores user email-password pair in an SQL database.

What is SAML?

Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between an identity provider and a service provider. SAML addresses the web browser single sign-on (SSO).

The SAML specification defines three roles:

  • User

  • Service provider (SP)

  • Identity provider (IdP)

A standard scenario includes these general steps to provide SSO:

  1. User requests a service from the service provider (iSpring Learn in this example).

  2. SP requests and obtains an identity assertion from the IdP.

  3. IdP provides the identity assertion.

  4. On the basis of the assertion, the SP gives a user access to the service.

It can also be described with this detailed UML time sequence diagram which include 8 steps:

In order to identify the user, the Identity Provider may request some information from the user, such as a username and password.

Configuring SAML SSO

Under the SSO setup, iSpring Learn LMS can work as a service provider (SP) through SAML, allowing you to provide SSO services for your domain.

Follow these steps:

  1. Log in to your iSpring Learn account as an administrator and type the address to the SSO settings in your browser: https://yourcompany.ispringlearn.com/settings/sso

  2. Fill out the form, providing the URL and other details of your IdP and click Save Changes.

Metadata URL: The address of your IdP server pointing to metadata.

Sign On URL: A server script that generates SAML assertions for users to log in.

Logout URL: A server script that generates SAML assertions for user to log out.

Certificate Fingerprint: A shortened version of your public key signature. If you only need to validate signatures received from the IdP, you can specify the certificate fingerprint instead of storing the full certificate.

Read more about calculating certificate fingerprints →

How to set up SAML on your server

Use this library https://simplesamlphp.org/ to set up a SAML 2.0 IdP server.

Setting up the Service Provider

We take care of setting up the iSpring Learn system as a service provider. Just provide us with the following data:

  1. Name and URL of the Identity Provider

  2. SSL certificate (server.crt)

  3. Private key (server.pem)

  4. certFingerprint for the private key

A service provider server configuration includes the following steps:

  1. 1

    Include the name of the Identity Provider and SSL certificate in config/authsources.php

  2. 'default-sp' => array(

    'saml:SP',

    // The entity ID of the IdP this should SP should contact.

    // Can be NULL/unset, in which case the user will be shown a list of available IdPs.

    'idp' => 'http://samlip.local:9040/saml2/idp/metadata.php',

    'privatekey' => 'server.pem',

    'certificate' => 'server.crt',

    ),

  3. 2

    Assign SingleSignOnService, SingleLogoutService and certFingerprint in metadata/saml20-idp-remote.php for the IdP address

  4. $metadata['http://samlip.local:9040/saml2/idp/metadata.php'] = array(

    'SingleSignOnService' => 'http://samlip.local:9040/saml2/idp/SSOService.php',

    'SingleLogoutService' => 'http://samlip.local:9040/saml2/idp/SingleLogoutService.php',

    'certFingerprint' => 'afe71c28ef740bc87425be13a2263d37971da1f9'

    );

Setting up the Identity Provider

To configure the Identity Provider for example-userpass authorization, do the following steps:

  1. 1

    Turn on SAML 2.0 and Shibboleth 1.3 support in config/config.php

  2. 'enable.saml20-idp' => true,

    'enable.shib13-idp' => true,

  3. 2

    Enable the authorization module. You can see the modules of various types in the modules/ folder. Open the folder of the module that matches the authorization type of your choice. Create an empty file there and name it enabled.

  4. 3

    Configure the authorization module of your choice in the config/authsources.php (example for exampleauth:UserPass)

  5. $config = array(

    'example-userpass' => array(

    'exampleauth:UserPass',

    'student:studentpass' => array(

    'uid' => array('student'),

    'eduPersonAffiliation' => array('member', 'student'),

    ),

    'employee:employeepass' => array(

    'uid' => array('employee'),

    'eduPersonAffiliation' => array('member', 'employee'),

    ),

    ),

    );

  6. 4

    Configure IdP in the file saml20-idp-hosted configuration by uncommenting the respective lines.

  7. 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',

    'authproc' => array(

    // Convert LDAP names to oids.

    100 => array('class' => 'core:AttributeMap', 'name2oid'),

    ),

  8. 5

    Add service provider in the metadata/saml20-sp-remote.php file.

  9. $metadata['https://sp.example.org/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array(

    'AssertionConsumerService' => 'https://sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp',

    'SingleLogoutService' => 'https://sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp',

    );

There are plenty of other ways you can pass authorization data other than 'example-userpass'. Check out how to configure simpleSAMLphp for: