Article Links Introduction | Technical Details | Set-up Process | Details for SAML Provider |
INTRODUCTION
Convergence uses SAML for Single Sign-On (SSO). Using an external SAML authenticator (like OKTA or similar) clients could utilize their existing credentials and get passed through to the Convergence LMS without having to have a separate username/password to the LMS. We can also support mixed scenarios where some users are using SSO but some still login normally with a username/password.
TECHNICAL DETAILS
When SSO is setup in Convergence, there will be a new “Single Sign-On” button on the login screen. When users click the “Single Sign-On” button, it would take them to the login page for their SAML provider, where they would login with their network credentials. The SAML provider would then perform the authentication against the client’s active directory, and pass the authenticated user into the LMS. The regular login button can be hidden if all users will go through SSO, or if some users still need to login with a username and password, the button can be left visible.
SET UP PROCESS
If the client isn’t currently using a SAML provider, they will need to procure one (Like OKTA or similar), and set it up to connect to their active directory. Once that is setup, the following steps will occur:
- The client will configure their SAML provider (using the settings in the table below) and generate a SAML XML Metafile and send it to Convergence
- Together, both the client and Convergence will decide on the user fields that will act as the unique identity.
- Convergence will use the xml metafile to setup the connection, and will also enable the “Single Sign-On” button on the Login screen
- The client can't test the implementation and ensure everything is working smoothly
DETAILS FOR SAML PROVIDER
The following settings were examples used with an OKTA integration. The “acme” portion of the URLs would be replaced with the actual client subdomain.
|
Single Sign On URL |
https://acme.convergencetraining.com/services/public/saml.aspx |
|
Recipient URL |
https://acme.convergencetraining.com/services/public/saml.aspx |
|
Destination URL |
https://acme.convergencetraining.com/services/public/saml.aspx |
|
Audience Restriction |
https://acme.convergencetraining.com/services/public/saml.aspx |
|
Default Relay State |
(blank) |
|
Name ID Format |
EmailAddress |
|
Response |
Signed |
|
Assertion Signature |
Signed |
|
Signature Algorithm |
RSA_SHA256 |
|
Digest Algorithm |
SHA256 |
|
Assertion Encryption |
Unencrypted |
|
SAML Single Logout |
Disabled |
|
authnContextClassRef |
PasswordProtectedTransport |
|
Honor Force Authentication |
Yes |
|
SAML Issuer ID |
http://www.okta.com/${org.externalKey} |