This document outlines the steps necessary to use the new SAML Single Sign-On in the RLMS.
For the SAML panel to show in the settings, the checkbox “Show SAML SSO Panel” needs to be checked for the site. A client will specifically need to request SAML to be turned on for them, and a Relias Learning Support representative will toggle this field. From there, the support representative should further assist with the configuration.
Now that the panel is showing, a user with administrative permissions should log in. The user needs to switch over to their Administrator profile, and click on the settings tab in the RLMS.
Once on the settings screen, navigate down to the panel entitled “SAML Single Sign-On Settings”.
Use SAML SSO – This should be checked if the organization would like their users to log in using SAML SSO
Show Log In Splash Screen – When this is checked, the user will be presented with a log in screen as opposed to being redirected immediately to the Identity Provider log
Allow Traditional Login – This determines whether the user can log into the RLMS with the normal log in screen should their SSO credentials fail. When this is checked, a link will appear on the splash screen as well, allowing them to bypass SSO and use the traditional log in.
User Lookup Key Name – The name of the field that contains the GUID of the user that is being passed in from the Identity Provider. For example, in the image above, the Identity Provider has mapped their GUID to a field they have named “username”. This is required for the RLMS Consumer Service to process which user is trying to log in.
Hosted Metadata File / Upload Metadata File – The radio buttons will toggle how the RLMS Consumer Service will communicate with the Identity Provider. The Identity Provider has two options:
Hosted Metadata File – The Identity Provider will publish their Metadata XML file on their server, and provide a link for the RLMS Consumer Service to access the file.
Upload Metadata File – The Identity Provider may upload their Metadata XML file directly into the RLMS for the Consumer Service to look up the values locally.
*Note that once the file is uploaded, the values still need to be saved by clicking the save button at the top of the page.
Assertion Consumer Service URL – This is a read-only field that allows the user to copy and paste the URL in the box. The URL will be needed on the Identity Provider’s side to communicate with the RLMS SSO service.
The Metadata XML file is the key piece to communication between the Identity Provider, and the RMLS Consumer Service. The two most important keys are below:
1. Certificate key:
2. Clients Single Sign On Landing Page:
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://stubidp.kentor.se/" />
Certificate Key – This is the key of the X509 Certificate that resides on the Identity Providers server. The SSO transaction will not complete if the key in the XML file does not match the certificate on the server.
Clients Single Sign On Landing Page – This is used in the SSO handshake to tell the RLMS Consumer Service where it should redirect to on the Identity Providers Server for the user to log in.
When the SSO request is sent to the Identity Provider, it will have the name “http://ReliasLearningAssertionConsumerService/<Org ID Here>”
*IT Admins can find more information on creating X509 Certificates using Windows Azure here.
To get back to the Knowledge Base and the master list of topics, please click here: RLMS Knowledge Base