Page tree
Skip to end of metadata
Go to start of metadata

iSpring Learn allows you to use SAML to enable single sign-on to the account.

Authorization with SAML also works in the mobile application.

To set up SAML authentication in your account:

  1. Go to the Settings section, then open the Integrations tab, and, in the SSO area, hit Enable.

  2. Fill out the form fields, adding the URL, and other details of your identity provider. The latter is the resource your users are supposed to use for the initial authorization on your corporate portal.

    Issuer Url (IdP Entity ID)

    The URL that uniquely identifies the identity provider service. This value is equal to the Issuer element in the SAML request sent by the identity provider.

    Sign On Url

    Path to the server script which generates SAML identifier confirmation requests to handle authorization.

    Logout Url

    Path to the server script which generates SAML identifier confirmation requests to handle logout.

    Certificate Fingerprint

    A short version of the public key certificate for verifying a digital signature. It is used to confirm signing requests issued by an identity provider. Learn more about certificate fingerprints here.

    Redirect users to the SSO login page

    If this option is enabled, the iSpring login page will have the following URL:

    Add a link on the side panel to return to the main site

    A link to a resource specified by the administrator will appear on the sidebar.

    Link titleThe title of the link that will appear on the sidebar.
    Main site Url

    The address of the link that will appear on the sidebar.

  3. If needed, match fields in iSpring Learn and your SSO service.

  4. Click Enable.


If you get a 400 error and a message about the request being composed incorrectly ("Cannot retrieve metadata for IdP '' because it isn't a valid IdP for this SP") after you enabled SAML in your iSpring Learn account, it means that the value set for the Issuer Url (IdP Entity ID) field is incorrect.

To make the SAML authorization work properly in your account, copy the URL from the error text and paste it into the Issuer Url (IdP Entity ID) field.

Setting Up SAML on the Server

We recommend that you should use the SimpleSamlPhp library to set up your identity provider server to enable authorization with SAML 2.0.

Setting Up iSpring Learn

Configuration of your iSpring Learn account is completed by our employees. Just provide us with the following information:

  1. Identity provider URL
  2. SSL certificate (server.crt)
  3. Secret key (server.pem)
  4. certFingerprint for a quick verification

Setting Up Identity Provider

To set up the identity provider, perform the following steps:

1. Enable support of SAML 2.0 and Shibboleth 1.3 in the config/config.php file.

'enable.saml20-idp' => true, 'enable.shib13-idp' => true,

2. Switch on the authorization module. Different authorization modules are located in the modules folder. Open the folder where the needed method is located and create an empty file called enabled in it.

3. Enable the authorization module in the config/authsources.php file. 
Important: email is a required attribute.

$config = array( 'example-userpass' => array( 'exampleauth:UserPass', 'student:studentpass' => array( 'uid' => array('student'), 'email' => '', 'eduPersonAffiliation' => array('member', 'student'), ), 'employee:employeepass' => array( 'uid' => array('employee'), 'email' => '', 'eduPersonAffiliation' => array('member', 'employee'), ), ), );

4.Configure the identity provider in the saml20-idp-hosted configuration file as in the example below.

'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'authproc' => array( // Convert LDAP names to oids. 100 => array('class' => 'core:AttributeMap', 'name2oid'), ),

5. Add information about the identity provider into the metadata/saml20-sp-remote.php file. 

If you have enabled SAML in your iSpring Learn account and for some reasons can't login using single sign-on, type the following web address:

Now you will sign in with the account, as usual, using your login and password. 

  • No labels