Convergence Single Sign-On – Convergence Training Support Center

INTRODUCTION

Single Sign On allows users to use their network login credentials to automatically log in to the LMS. This means that they do not need to manually login to the LMS with a username and password.

Convergence uses SAML for Single Sign-On (SSO). Using an external SAML authenticator (like OKTA or similar) clients could utilize their existing credentials and get passed through to the Convergence LMS without having to have a separate username/password to the LMS. We can also support mixed scenarios where some users are using SSO but some still login normally with a username/password.

SINGLE SIGN-ON OPTIONS

You have the following options when you enable single sign-on. Support can:

SSO LOGIN	LMS LOGIN

Hide the LMS login credentials on the landing page and replace it with an SSO button. When the user clicks the button, the LMS will automatically use their network login credentials to login to the LMS automatically. This is a good option if EVERY USER has network login credentials.
Help you set up the Landing Page so that users will be able to use the LMS login or SSO login when some of your users have a network login and others don't.
Deactivate the password reset option in the LMS when SSO is enabled.

ALTERNATE PASSWORD

Please refer to the Convergence Mobile: Enable Alternate Password to learn how to enable an alternate password for the mobile apps.

You can set up a secondary, expiring password for a user to use with our mobile apps. There are two reasons you would want to set up an alternate password:

You want to be able to sign on to LMS using the mobile app and on the computer at the same time
Allow single-sign on users to use the mobile apps via a secondary password when outside their company's network

TECHNICAL DETAILS

When SSO is setup in Convergence, there will be a new “Single Sign-On” button on the login screen. When users click the “Single Sign-On” button, it would take them to the login page for their SAML provider, where they would login with their network credentials. The SAML provider would then perform the authentication against the client’s active directory, and pass the authenticated user into the LMS. The regular login button can be hidden if all users will go through SSO, or if some users still need to login with a username and password, the button can be left visible.

SETUP PROCESS

If the client isn’t currently using a SAML provider, they will need to procure one (Like OKTA or similar), and set it up to connect to their active directory. Once that is setup, the following steps will occur:

The client will configure their SAML provider (using the settings in the table below) and generate a SAML XML Metafile and send it to Convergence.
Together, both the client and Convergence will decide on the user fields that will act as the unique identity.
Convergence will use the xml metafile to setup the connection, and will also enable the “Single Sign-On” button on the Login screen.
The client can test the implementation and ensure everything is working smoothly.

DETAILS FOR SAML PROVIDER

The following settings were examples used with an OKTA integration. The “acme” portion of the URLs would be replaced with the actual client subdomain.

Single Sign On URL	https://acme.convergencetraining.com/services/public/saml.aspx
Recipient URL	https://acme.convergencetraining.com/services/public/saml.aspx
Destination URL	https://acme.convergencetraining.com/services/public/saml.aspx
Audience Restriction	https://acme.convergencetraining.com/services/public/saml.aspx
Default Relay State	(blank)
Name ID Format	EmailAddress
Response	Signed
Assertion Signature	Signed
Signature Algorithm	RSA_SHA256
Digest Algorithm	SHA256
Assertion Encryption	Unencrypted
SAML Single Logout	Disabled
authnContextClassRef	PasswordProtectedTransport
Honor Force Authentication	Yes
SAML Issuer ID	http://www.okta.com/${org.externalKey}

Articles in this section