This article guides you through the creation and testing of a Single Sign On (SSO) application that allows users in your OneLogin instance to sign into their Emtrain Learner Portal from a link in their OneLogin portal, using SAML 2.0 authentication. These features are not enabled by default, if you are interested in using this feature, please contact your account representative or support for more information.
To complete the tasks outlined in this article, you will need to have Administrator privileges in your OneLogin instance, and either Administrator access to your Emtrain account or contact with the administrator of your Emtrain account to obtain your account's API key.
Before creating a SSO app in OneLogin , the following prerequisites are required:
- Active Emtrain account (Complete/Enterprise level plan)
- Active OneLogin account
- Your OneLogin x.509 certificate
- Your Emtrain API key (Found in the Developer Integration link under the My Account section of your dashboard)
- All users of the Emtrain SSO app must have a valid, unique Email address that is consistant in OneLogin and on Emtrain.
- A single email address cannot be used by more than one user
- Any user who is to use the SSO app must have an email address in their Emtrain learner profile
- User's email addresses must match across both platforms (OneLogin and Emtrain)
- The OneLogin administrator creating the SSO app should have a Emtrain learner profile to test the integration.
After you have confirmed that the above requirements are met, you can begin to create an Emtrain SSO app in OneLogin.
Adding a SAML Connector in OneLogin.
First, create the SAML Connector in OneLogin.
- In the OneLogin admin panel, click Add App:
Then search for SAML Test Connector (IdP w/attr) in the search box. Click on SAML Test Connector (IdP w/attr) to create a new connector.
- Enter Emtrain as the name of the application, and upload the Emtrain logo images, then click Save. (Correctly sized images can be found at the bottom of this article)
- Click the Configuration tab. For this step, you will need your Emtrain API Key, if you do not have your API key, refer to the instructions at the top of this article. Fill out the Application Details fields as follows, then click Save:
- Relay State: Leave blank
- Audience: https://lms.emtrain.com/lms/sign-on/one-login/metadata.php
- Recipient: https://lms.emtrain.com/lms/sign-on/one-login/index.php?acs
- ACS (Consumer) URL Validator: ^https:\/\/lms\.emtrain\.com/lms\/sign-on\/one-login\/index\.php\?acs$
- ACS (Consumer) URL: https://lms.emtrain.com/lms/sign-on/one-login/index.php?acs&key=(append your emtrain api key here)
- Single Logout URL: https://lms.emtrain.com/lms/sign-on/one-login/index.php?sls&key=(append your emtrain api key here)
Be sure to click Save after entering the Application Details URLs!
- Your OneLogin X.509 PEM certificate. The certificate can be found under the Enable SAML 2.0 section under X.509 Certificate. Click View Details, then click Download to download your OneLogin certificate. Use the standard strength certificate. Be sure that the format is set to X.509 PEM when downloading the certificate.
- Copy the Issuer URL
- Copy the SAML 2.0 Endpoint
- Copy the SLO Endpoint
Configuring SSO with your OneLogin SAML Connector Application:
Once you have the SAML Connector application configured in OneLogin, you are ready to configure your Emtrain account to use SAML authentication via your connector application.
- Click the Developer Integration link in the My Account section of your Emtrain dashboard, then click the Configure SSO tab.
- Select OneLogin as the SSO Identity Provider
- Paste the Issuer URL, SAML 2.0 Endpoint and SLO Endpoint URLs you copied earlier into the corresponding fields, then click the Save button. (NOTE: The SAML 2.0 Endpoint URL will be embedded in the login instructions in emails to your learners.)
- Upload your OneLogin x.509 certificate.
The configuration is now complete on the Emtrain LMS side.
Testing Single Sign On
Now that you have set up the OneLogin SAML Connector and configured Single Sign On in your Emtrain LMS, you can test the application. Any test user will need:
- A OneLogin user account with the SAML Connector app provisioned to it
- An Emtrain learner account (The Email field on the learner profile must be the same as the user's email address on their OneLogin account)
Testing the application from your OneLogin App Portal:
- Confirm that clicking the Connector application icon in your App Portal redirects you to your Emtrain Learner Portal.
- Confirm that after logging out of your OneLogin portal with an open Emtrain Learner Portal, you are unable to access items in the learner portal without signing back into your OneLogin portal. *Note that if you have a training course open when you log out of OneLogin, you will remain authenticated in Emtrain and your progress will be recorded until you exit the course.
Testing Single Sign On using a SAML Endpoint Link:
The SAML Endpoint link is embedded in announcement and reminder emails sent to learners from the Emtrain LMS in place of traditional login instructions. You may either use a test email sent by your Emtrain adminstrator, or simply use the SAML endpoint link for the connector application to test.
- While actively signed into OneLogin, click or paste the SAML Endpoint link into your browser and confirm that you are authenticated and re-directed to your Emtrain learner portal.
- Log out of OneLogin. click or aste the SAML Endpoint link into your browser and confirm that you are prompted to sign into OneLogin. Confirm that you are authenticated and redirected to your Emtrain Learner Portal after signing into OneLogin.