To configure the SSO integration of Litmos with Azure Active Directory (AD), you need to create an application.
To create an application, perform the following steps:
-
In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
-
Navigate to Enterprise applications. Then go to All applications.
-
To add new application, click New application button on the top of dialog.
-
In the search box, type Litmos, select Litmos from result panel then click Add button to add the application.
Configure Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Litmos application.
To configure Azure AD single sign-on with Litmos, perform the following steps:
-
In the Azure portal, on the Litmos application integration page, click Single sign-on.
-
On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable single sign-on.
- Under basic SAML configuration section, perform the following steps:
a. In the Identifier textbox, type a URL using the following pattern:
https://<companyname>.litmos.com/integration/splogin
b. In the Reply URL textbox, type a URL using the following pattern:
https://<companyname>.litmos.com/integration/splogin
Note - If you are on the AU or EU instance of Litmos, update the URLs accordingly:
AU - litmos.com.au / EU - litmoseu.com
Ensure that the Default box is checked for both the Identifier & the Reply URL:
4. As part of the configuration, you need to customize the SAML Token Attributes for your Litmos application.
Select the edit icon to display the 'User Attributes & Claims' values.
We recommend that you remove the default claims (except user.userprincipalname) and re-create the following (attributes are case-sensitive):
Attribute Name | Attribute Value |
---|---|
FirstName | user.givenname |
LastName | user.surname |
user.mail |
When creating, leave the 'Namespace' value blank:
5. On the SAML Signing Certificate section, download the metadata XML file and then save the certificate file on your computer.
6. In a different browser window, sign-on to your Litmos company site as an account owner.
7. In the navigation bar on the left side, click Accounts.
If your menu bar is not on the left hand side, click on your initials (icon located at the top right corner) to bring up the drop down menu and select Account Settings
8. Click the Integrations tab and then click SAML 2.0 tab.
9. Open your metadata XML file in notepad, copy the content of it into your clipboard, and then paste it in the SAML Metadata field
Important! Exclude the following first line of the metadata as Litmos gives an error if it is included in the metadata: <?xml version="1.0" encoding="UTF-8"?>.
Important! Make sure "Verify assertion signatures and encryption" is unchecked. This is not supported by Azure because Azure uses self signed certificates.
Assign this application to yourself in Azure portal and test single sign-on
Deep Linking to a course
Deep linking provides a method for efficiently directing a user to a course/Learning path rather sending them to the home page and to utilize this functionality, you will need to use RelayState parameter.
Relaystate parameter can be appended with the user access URL of the application configured in Azure. An example relay state link can be seen below
Here, the first part of the URL is the User access URL which is available under application properties page in Azure and the second part is the Relay state parameter which contains the actual course Id( 12345). This course Id can be found under the course settings page as shown in the below screenshots.
Determine how users sign into Litmos
You can determine how users can sign into Litmos: allow users to log in with a username/password and provide a link to the 'User access URL' on the login page, OR automatically sign in users via the 'User access URL':
Method 1: Allow users to login with a username/password and provide a link to the User access URL on the login page:
Whilst in the application you created in Azure AD, obtain the 'User access URL':
- Under Manage select Properties
- Copy the 'User access URL' by selecting the blue copy icon (the URL should look like this: https://myapps.microsoft.com/signin/xxxxxx
In Litmos, sign in as an the Account Owner
- Go to “Account settings".
- Select “Messages & Settings”, and add your desired HTML code to the “Login” box. A template is shown below:
To login via Azure AD account, <a href="User access URL">Click HERE</a> - Scroll to the bottom of the page and click “Save” to apply your changes.
- Next time you logout of your Litmos account, you will see the message appear in the login box.
In order to use this method, you will need to ensure you have uploaded your company logo via
Settings >Theme. If you are using the default Litmos logo, the code will not appear on the login page.
Method 2: Automatically sign in users via the "User access URL"
Users will not be able to sign in with a username/password via this method. The user will need to exist in Litmos and added as a user in the App you created in Azure AD.
Please let Litmos Support know your 'User access URL' and we will apply the re-direct for you. The 'User access URL' can be found in the application you created in Azure AD:
- Under Manage select Properties
- Copy the 'User access URL' by selecting the blue copy icon (the URL should look like this: https://myapps.microsoft.com/signin/xxxxxx
Note: If you use Method 2, you will not be able to utilise the 'Sign Out' option, as signing out will re-direct you back to your Azure User Access URL (thus signing the user back in). If you want users to be able to sign out of Litmos, please utilise Method 1.
Provision Azure AD User access
You will need to assign access to users via Azure AD to access Litmos via Single Sign On.
- On the 'Single Sign On' page for the application, select 'Users and Groups' - then add individuals or groups from the 'Add users' button to assign access to the app via SSO. If they do not appear here, the user will not be able to login via SSO.
Comments
0 comments
Please sign in to leave a comment.