Setup SAML SSO for your portal
Intended Audience: Admins
Log in
seamlessly through your identity provider
Safety Made Simple uses SAML to let customers who use
identity providers (IdPs) like OneLogin, G Suite, Salesforce, or Microsoft
Active Directory/ADFS, to sign in their users automatically.
SAML
(Security Assertion Markup Language) enables a user, authenticated on one
system, to sign in to another system automatically, without typing a username
and password. This process is known as Single Sign-On (SSO), and SAML is the
most common form of SSO.
We support
Identity Provider-initiated HTTP-POST SAML v2.0 profile.
For portals
that use a login page, the page displays the SSO options. For portals that turn
off the login page, users are directed to their identity provider (IdP) page to
log in, to access the portal on their mobile device.
Note: We support a
single SAML configuration per portal.When you set
up SAML, you must enter at least 1 fingerprint for a
X.509 public certificate. You download the certificate from your IdP. You can
enter as many fingerprints as you need. If you enter more fingerprints, you can
set 1 as your primary fingerprint for SAML verification.
Tip: Use an online
tool like samltool.com to turn an X.509 certificate from your IdP provider into
a fingerprint.Access permissions
· admins with full portal permissions: can set up
SAML SSO
This feature
is available in sub-portals. If you use sub-portals, you set SAML configuration
separately for each portal.
· SAML SSO turned on for your portal
· any related custom user data fields set up in Safety Made Simple
Note: the
YYYY-MM-DD format is required for custom user data fields that
contain dates. This format supports integrations for Safety Made
Simple like SSO SAML, and services like batch user upload and API automations.
View SAML entry points
From main navigation go to Settings
> Integrations > Single Sign On - SAML. The
SAML SSO page displays:
SAML
Entry Point/ Consumer URL/ ACS URL in format:
https://yourportalname.learnupon.com/saml/consumer
SAML
Metadata URL in format:
The following
screenshot shows the SAML Integration page, with sample domain
names obscured.
Complete general settings
On this page,
turning on SAML in Settings makes the SAML
Hardening options available.
Saving Settings and Hardening
options makes Certificate fingerprints available.
Note: SP-initiated
SAML, aka service provider-initiated SAML, requires the hardening option
to limit the SML target URL to the relevant subdomain.1. From main navigation go to Settings
> Integrations > Single Sign On - SAML > General Settings.
2. From Settings, make
the following entries:
· Enabled?: select
to activate SAML for your portal
· Version: select
2.0
· Skip Condition: select No (recommended) or Yes
· SAML Token POST param name: enter the parameter name sent to your portal's consumer URL that
contains the SAML assertion. This field is case-sensitive
· Name Identifier Format: define the format in your SAML
assertion, where Safety Made Simple can find the user's identifer
· Identity Provider Location (IDP SSO Target URL): the destination URL where Safety
Made Simple sends users if they select the icon you upload on the portal login
screen
· Disable portal login page: (optional) to redirect users to the IDP SSO URL
· Unauthorized URL: destination URL for users who aren't authorized, based on the
SAML assertion
· Sign Out URL: destination URL for users who select Sign Out on
the portal
· Enable SP-initiated SAML?:
(optional) lets you redirect learners from internal pages, iCals and emails.
3. Save to finish this section.
When you
select Disable
portal login page in the General
Settings, you can still access the portal login page by
adding users/sign_in?no_sso=true to
the standard portal URL. For example:
yourportalname.safetymadesimple.com/users/sign_in?no_sso=true
The following
screenshot shows the first part of the SAML SSO > General Settings page,
with the sample domain name obscured.
Set hardening options
When you turn
on Enabled for
SAML, Hardening
options become available.
Hardening
your SAML configuration refers to limiting the SAML issuer to your subdomain
mydomainname.safetymadesimple.com.
Note: SP-initiated
SAML, aka service provider-initiated SAML, requires the hardening option to
limit the SAML target URL to the relevant subdomain.If you leave
this option deactivated, you allow SAML assertions issued by other Safety Made
Simple domains.
When you
change any Hardening options, Safety Made Simple saves your
changes immediately and refreshes the page.
1. From main navigation go to Settings >
Integrations > Single Sign On - SAML > General Settings.
2. From Limit SAML
issuer to your subdomain, select Activate.
3. In the Activate
subdomain requirement? dialog that opens, select Activate to
confirm.
Limit
SAML issuer to your subdomain displays an Active status.
By default, Safety
Made Simple sets the other options for signed assertions, skipping destinations
and skipping subject confirmation, at the highest level
of security for your SAML setup.
Changing
these settings removes those security options. Check with your IT team before
making changes.
1. From main navigation go to Settings >
Integrations > Single Sign On - SAML > General Settings.
2. From Hardening
options:
· for Sign SAML
assertion, select Deactivate as required
· for Check
destination, select Activate as required
· for Check subject
confirmation, select Activate as
required
· for Sign
Authn Requests, select Activate as required
The following
screenshot shows Hardening options with default settings
for a new portal.
Turn the certificate into a fingerprint to upload to the portal
This 2-part
step requires an online SAML calculator to generate a fingerprint from your
certificate. You enter the fingerprint in your Safety Made Simple portal as
part of the SSO setup.
Create a fingerprint
1. In a text editor, open the CRT file downloaded from your IdP.
2. Select and copy the full text of the certificate, including
---BEGIN CERTIFICATE--- and ---END CERTIFICATE--- text.
3. Paste the certificate text into the online tool.
4. Select the algorithm you used in the IdP, SHA1 or SHA256, to
generate a fingerprint.
The following
screenshot shows a sample certificate text selected, with some lines obscured,
before copying into a SAML calculator.
Add X.509 fingerprints
Saving Settings and Hardening
options makes Certificate fingerprints settings available
onscreen.
You can
record and manage multiple fingerprints for X.509 public certificates. Safety
Made Simple accepts SHA1 and SHA256 fingerprints. You must enter at least 1
fingerprint to use SAML SSO.
If you enter
more fingerprints, you can set 1 fingerprint as primary. Safety Made Simple uses
the primary fingerprint for 2-way SSO login from the login page.
1. From main navigation go to Settings
> Integrations > Single Sign On - SAML > General Settings.
2. Select Manage
fingerprints to open the fingerprint dialog.
3. In Fingerprint
Value, enter your X.509 certificate fingerprint.
4. Select Add a
fingerprint to add more than 1 fingerprint as required.
5. If required select 1 fingerprint
as Primary.
6. Save to finish.
The following
screenshot shows the Manage finger prints dialog with 2
fingerprints, with the full text obscured.
Add logo
Add a
provider logo, that appears on the Login Page under Sign In.
When users
select the logo at login, the logo directs users to the Identity
Provider Location (IDP SSO URL) defined in your SAML SSO >
General Settings.
1. Select Upload Logo to
add your identity provider's logo to the Safety Made Simple login page.
2. Select Save to
finish.
Set up Safety Made Simple users and groups parameters
When you set up SAML SSO, you have the
option to use data provided by your IdP to
- create new users if they don't already exist
- add any language parameter, so learners see the portal in their preferred language from first login
- synchronize your groups
The language codes Safety Made Simple
uses are available from the API guide.
1. From your Safety Made Simple main
navigation menu go to Settings > Integrations > Single Sign On - SAML.
2. Select Users &
Groups Settings.
3. From User Settings you
can:
· select Create Users
if they do not exist in your portal on a valid assertion
· provide
parameter Identifier Formats for names and Custom User
Data
· provide parameter Identifier Formats for portal
languages for users
- From Group Settings, you can:
· select Enable Group Synchronization
· provide parameter Identifier
Formats for Groups
5. After updating any of these settings,
select Save to
finish.
The following
screenshot shows a sample User & Group Settings.
The
following screenshot shows sample Custom User Data Settings for
a portal.
Related Articles
Setup dashboard and catalog banners
Intended Audience: Administrators Summary Choose from 3 types of banners in your portal's dashboard and catalog, to welcome your learners, promote courses, or add reminders. Add multimedia or image banners to support your brand, share messages about ...Setup SMTP to Connect to Custom Email Server
INTENDED AUDIENCE: ADMINS Summary Set up SMTP to send portal notifications through an email service like Amazon SES, SendGrid, similar provider or corporate SMTP server. Contact SMS Support to discuss if SMTP using a custom email server can help your ...Brand your portal
Intended Audience: Administrators Summary Add your company's brand to your portal: set colors, add logos and icons, and provide a custom footer. Branding basics To brand your LearnUpon portal: From the primary navigation menu, select Settings > My ...Dashboard settings
Intended Audience: Administrators Set the Home or Dashboard layout for different user types Admins, managers and learners can access different layouts as their landing page when they open the portal. Learner Home banners Banners let you brand your ...Audit Trails
Intended Audience: Admins Summary Audit trails show who performed what action on a portal, and when it happened. Download the resulting records as a CSV file for your organization's records. Audit trails: overview Audit Trails is an interface-based ...