Skip to main content

Articles in this section

SSO and SAML configuration

  • Last updated:

Be aware: If you're a single-tenant customer, this guide will not work for you. If you want to set up SSO for your Learning Record Store instance, please contact support@learningpool.com

Single Sign-On (SSO) via Security Assertion Markup Language (SAML) on Learning Record Store is configured at the  organisation level. Multiple organisations on a single instance can have different SAML configurations, but the users must be separate, i.e. a single user cannot log into two organisations via SAML with the same email address.

Please see the following video for an overview of SAML:

 

Configuring SSO

The following fields are provided by your Identity Provider (IdP) and need to be added to the SAML configuration form in Learning Record Store:

Field

Description

Example

Provider login URL

SAML 2.0 Endpoint

https://example.onelogin.com/trust/saml2/http-post/sso/12345678-abcdefgh

Provider logout URL

Single LogOut (SLO) Endpoint

https://example.onelogin.com/trust/saml2/http-redirect/slo/12345678

Provider public key

X.509 Certificate

-----BEGIN CERTIFICATE-----\n<redacted>\n-----END CERTIFICATE-----

 

SSo

 

Configuring your identity provider

The following fields are provided by Learning Record Store in the SAML configuration on the organisation and need to be added to the configuration in your Identity provider (requirements vary per IdP):

Field

 Format

Example

Assertion Consumer Service (ACS) endpoint

<yourEndpoint>/api/v2/saml/<organisationId>/endpoint/<samlId>

https://example.learninglocker.net/api/v2/saml/62610b488e2a6bfeda5cfb3b/endpoint/624f3e4c0ee85e0d0cc3ca46

Audience (EntityID)

<yourEndpoint>/<samlId>

https://example.learninglocker.net/624f3e4c0ee85e0d0cc3ca46

Login URL

<yourEndpoint>/login/sso/<organisationId>/saml/<samlId>

https://example.learninglocker.net/login/sso/62610b488e2a6bfeda5cfb3b/saml/624f3e4c0ee85e0d0cc3ca46

Logout URL

<yourEndpoint>/logout/sso/<organisationId>/saml/<samlId>

Note: For our dev/test OneLogin instances we found we needed:
<yourEndpoint>/logout/sso/<organisationId>

https://example.learninglocker.net/logout/sso/62610b488e2a6bfeda5cfb3b/saml/624f3e4c0ee85e0d0cc3ca46

 

FAQs

What happens if a user doesn’t already exist in Learning Record Store when they try to log in through their identity provider?

A new user will be created using the email address, note that no role is assigned at user creation

 

Error messages and their solutions

Error Solution
User not authorised to access this organisation via SSO. The SAML Enabled toggle on the user is not enabled, this can be enabled per user via the ‘Saml sso’ toggle on the Users page in Learning Record Store:
SAML not enabled. The samlPublicKey and samlPrivateKey are not present in the siteSettings collection - please contact support@learningpool.com 
An error occurred The audience (entity id) is either incorrect or not set in your identity provider.

 

Related articles

In this article