iSpring Learn allows you to use SAML to enable single sign-on to the account.
Authorization with SAML also works in the mobile application.
To set up SAML authentication in your account:
- Go to the Settings section, then open the Integrations tab and, in the SSO area, hit Enable.
Fill out the form fields, adding URL, and other details of your identity provider. The latter is the resource your users are supposed to use for the initial authorization on your corporate portal.
Issuer Url (IdP Entity ID)
The URL that uniquely identifies the identity provider service. This value is equal to the Issuer element in the SAML request sent by the identity provider.
Sign On Url
Path to the server script which generates SAML identifier confirmation requests to handle authorization.
Path to the server script which generates SAML identifier confirmation requests to handle logout.
Redirect users to the SSO login page
If this option is enabled, the iSpring login page will have the following URL: https://yourcompany.ispringlearn.com/sso/login.
Add a link on the side panel to return to the main site
A link to a resource specified by the administrator will appear on the sidebar.
Link title The title of the link that will appear on the sidebar. Main site Url
The address of the link that will appear on the sidebar.
- If needed, match fields in iSpring Learn and your SSO service.
- Click Enable.
If you get a 400 error and a message about the request being composed incorrectly ("Cannot retrieve metadata for IdP 'https://myidp.com/oam/fed' because it isn't a valid IdP for this SP") after you enabled SAML in your iSpring Learn account, it means that the value set for the Issuer Url (IdP Entity ID) field is incorrect.
To make the SAML authorization work properly in your account, copy the URL from the error text and paste it into the Issuer Url (IdP Entity ID) field.
Setting Up SAML on the Server
We recommend that you should use the SimpleSamlPhp library to set up your identity provider server to enable authorization with SAML 2.0.
Setting Up iSpring Learn
Configuration of your iSpring Learn account is completed by our employees. Just provide us with the following information:
- Identity provider URL
- SSL certificate (server.crt)
- Secret key (server.pem)
- certFingerprint for a quick verification
Setting Up Identity Provider
To set up the identity provider, perform the following steps:
1. Enable support of SAML 2.0 and Shibboleth 1.3 in the config/config.php file.
'enable.saml20-idp' => true, 'enable.shib13-idp' => true,
2. Switch on the authorization module. Different authorization modules are located in the modules folder. Open the folder where the needed method is located and create an empty file called enabled in it.
3. Enable the authorization module in the config/authsources.php file.
Important: email is a required attribute.
$config = array( 'example-userpass' => array( 'exampleauth:UserPass', 'student:studentpass' => array( 'uid' => array('student'), 'email' => 'email@example.com', 'eduPersonAffiliation' => array('member', 'student'), ), 'employee:employeepass' => array( 'uid' => array('employee'), 'email' => 'firstname.lastname@example.org', 'eduPersonAffiliation' => array('member', 'employee'), ), ), );
4.Configure the identity provider in the saml20-idp-hosted configuration file as in the example below.
'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', 'authproc' => array( // Convert LDAP names to oids. 100 => array('class' => 'core:AttributeMap', 'name2oid'), ),
5. Add information about the identity provider into the metadata/saml20-sp-remote.php file.
$metadata['https://sp.example.org/simplesaml/module.php/saml/sp/metadata.php/default-sp'] = array( 'AssertionConsumerService' => 'https://sp.example.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp', 'SingleLogoutService' => 'https://sp.example.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp', );
If you have enabled SAML in your iSpring Learn account and for some reasons can't login using single sign-on, type the following web address: https://yourcompany.ispringlearn.com/login?no_sso.
Now you will sign in with the account, as usual, using your login and password.
Useful links on SAML authorization: