Article Links Introduction | Single Sign-On Options | Alternate Password | Technical Details | Setup Process | Details for SAML Provider |
INTRODUCTION
Single Sign On allows users to use their network login credentials to automatically log in to the LMS. This means that they do not need to manually login to the LMS with a username and password.
Convergence uses SAML for Single Sign-On (SSO). Using an external SAML authenticator (like OKTA or similar) clients could utilize their existing credentials and get passed through to the Convergence LMS without having to have a separate username/password to the LMS. We can also support mixed scenarios where some users are using SSO but some still login normally with a username/password.
SINGLE SIGN-ON OPTIONS
You have the following options when you enable single sign-on. Support can:
SSO LOGIN | LMS LOGIN |
![]() |
![]() |
- Hide the LMS login credentials on the landing page and replace it with an SSO button. When the user clicks the button, the LMS will automatically use their network login credentials to login to the LMS automatically. This is a good option if EVERY USER has network login credentials.
- Help you set up the Landing Page so that users will be able to use the LMS login or SSO login when some of your users have a network login and others don't.
- Deactivate the password reset option in the LMS when SSO is enabled.
ALTERNATE PASSWORD
Please refer to the Convergence Mobile: Enable Alternate Password to learn how to enable an alternate password for the mobile apps.
You can set up a secondary, expiring password for a user to use with our mobile apps. There are two reasons you would want to set up an alternate password:
- You want to be able to sign on to LMS using the mobile app and on the computer at the same time
- Allow single-sign on users to use the mobile apps via a secondary password when outside their company's network
TECHNICAL DETAILS
When SSO is setup in Convergence, there will be a new “Single Sign-On” button on the login screen. When users click the “Single Sign-On” button, it would take them to the login page for their SAML provider, where they would login with their network credentials. The SAML provider would then perform the authentication against the client’s active directory, and pass the authenticated user into the LMS. The regular login button can be hidden if all users will go through SSO, or if some users still need to login with a username and password, the button can be left visible.
SETUP PROCESS
If the client isn’t currently using a SAML provider, they will need to procure one (Like OKTA or similar), and set it up to connect to their active directory. Once that is setup, the following steps will occur:
- The client will configure their SAML provider (using the settings in the table below) and generate a SAML XML Metafile and send it to Convergence.
- Together, both the client and Convergence will decide on the user fields that will act as the unique identity.
- Convergence will use the xml metafile to setup the connection, and will also enable the “Single Sign-On” button on the Login screen.
- The client can test the implementation and ensure everything is working smoothly.
DETAILS FOR SAML PROVIDER
The following settings were examples used with an OKTA integration. The “acme” portion of the URLs would be replaced with the actual client subdomain.
Single Sign On URL |
https://acme.convergencetraining.com/services/public/saml.aspx |
Recipient URL |
https://acme.convergencetraining.com/services/public/saml.aspx |
Destination URL |
https://acme.convergencetraining.com/services/public/saml.aspx |
Audience Restriction |
https://acme.convergencetraining.com/services/public/saml.aspx |
Default Relay State |
(blank) |
Name ID Format |
EmailAddress |
Response |
Signed |
Assertion Signature |
Signed |
Signature Algorithm |
RSA_SHA256 |
Digest Algorithm |
SHA256 |
Assertion Encryption |
Unencrypted |
SAML Single Logout |
Disabled |
authnContextClassRef |
PasswordProtectedTransport |
Honor Force Authentication |
Yes |
SAML Issuer ID |
http://www.okta.com/${org.externalKey} |