Setup SAML SSO for your portal
Summary
Access Permissions
- Admins with full portal permissions: can set up the feature
Prerequisites
- any related custom user data fields set up in your SMS training portal.
Note: the YYYY-MM-DD format is required for custom user data fields that contain dates. This format supports integrations like SSO SAML, and services like batch user upload and API automations. View SAML entry points
1. From main navigation go to Settings > Integrations > Single Sign On - SAML. The SAML SSO page displays:
SAML Entry Point/ Consumer URL/ ACS URL in format:
SAML Metadata URL in format:
The following screenshot shows the SAML Integration page, with sample domain names obscured.
Complete general settings
On this page, turning on SAML in Settings makes the SAML Hardening options available.
Saving Settings and Hardening options makes Certificate fingerprints available.
1. From main navigation go to Settings > Integrations > Single Sign On - SAML > General Settings.
2. From Settings, make the following entries:
· Enabled?: select to activate SAML for your portal
· Version: select 2.0
· Skip Condition: select No (recommended) or Yes
· SAML Token POST param name: enter the parameter name sent to your portal's consumer URL that contains the SAML assertion. This field is case-sensitive
· Name Identifier Format: define the format in your SAML assertion, where your portal can find the user's identifier
· Identity Provider Location (IDP SSO Target URL): the destination URL where your portal sends users if they select the icon you upload on the portal login screen
· Disable portal login page: (optional) to redirect users to the IDP SSO URL
· Unauthorized URL: destination URL for users who aren't authorized, based on the SAML assertion
· Sign Out URL: destination URL for users who select Sign Out on the portal
3. Save to finish this section.
If you select Disable portal login page in the General Settings, you can still access the portal login page by adding users/sign_in?no_sso=true to the standard portal URL. For example:
yourportalname.safetymadesimple.com/users/sign_in?no_sso=true
The following screenshot shows the first part of the SAML SSO > General Settings page,
with the sample domain name obscured.
Set hardening options
When you turn on Enabled for SAML, Hardening options become available.
Hardening your SAML configuration refers to limiting the SAML issuer to your subdomain mydomainname.safetymadesimple.com.
When you change any Hardening options, your portal saves your changes immediately and refreshes the page.
1. From main navigation go to Settings > Integrations > Single Sign On - SAML > General Settings.
2. From Limit SAML issuer to your subdomain, select Activate.
3. In the Activate subdomain requirement? dialog that opens, select Activate to confirm.
Limit SAML issuer to your subdomain displays an Active status.
By default, your portal sets the other options for signed assertions, skipping destinations and skipping subject confirmation, at the highest level of security for your SAML setup.
Changing these settings removes those security options. Check with your IT team before making changes.
1. From main navigation go to Settings > Integrations > Single Sign On - SAML > General Settings.
2. From Hardening options:
· for Sign SAML assertion, select Deactivate as required
· for Check destination, select Activate as required
· for Check subject confirmation, select Activate as required
The following screenshot shows Hardening options with default settings for a new portal.This 2-part step requires an online SAML calculator to generate a fingerprint from your certificate. You enter the fingerprint in your portal as part of the SSO setup.
Create a fingerprint
1. In a text editor, open the CRT file downloaded from your IdP.
2. Select and copy the full text of the certificate, including ---BEGIN CERTIFICATE--- and ---END CERTIFICATE--- text.
3. Paste the certificate text into the online tool.
4. Select the algorithm you used in the IdP, SHA1 or SHA256, to generate a fingerprint.
The following screenshot shows a sample certificate text
selected, with some lines obscured, before copying into a SAML calculator.
Add a X.509 fingerprint to the portal
Saving Settings and Hardening options makes Certificate fingerprints settings available onscreen.
You can record and manage multiple fingerprints for X.509 public certificates. Your portal accepts SHA1 and SHA256 fingerprints. You must enter at least 1 fingerprint to use SAML SSO.
If you enter more fingerprints, you can set 1 fingerprint as primary. Your portal uses the primary fingerprint for 2-way SSO login from the login page.
1. From main navigation go to Settings > Integrations > Single Sign On - SAML > General Settings.
2. Select Manage fingerprints to open the fingerprint dialog.
3. In Fingerprint Value, enter your X.509 certificate fingerprint.
4. Select Add a fingerprint to add more than 1 fingerprint as required.
5. If required select 1 fingerprint as Primary.
6. Save to finish.
The following screenshot shows the Manage fingerprints dialog
with 2 fingerprints, with the full text obscured.
Add logo
Add a provider logo, that appears on the Login Page under Sign In.
When users select the logo at login, the logo directs users to the Identity Provider Location (IDP SSO URL) defined in your SAML SSO > General Settings.
1. Select Upload Logo to add your identity provider's logo to the portal login page.
2. Select Save to finish.
Set up portal users and groups parameters
When you enable SAML SSO, you have the option to create users if they don't already exist and synchronize your groups.
1. From your portal main navigation menu go to Settings > Integrations > Single Sign On - SAML.
2. Select Users & Groups Settings.
3. From User Settings you can:
· select Create Users if they do not exist in your portal on a valid assertion
· provide parameter Identifier Formats for names and Custom User Data
· select Enable Group Synchronization
4. After updating any of these settings, select Save to finish.
The following screenshot shows a sample User & Group Settings.
Related Articles
Setup SMTP to Connect to Custom Email Server
INTENDED AUDIENCE: ADMINS Summary Set up SMTP to send portal notifications through an email service like Amazon SES, SendGrid, similar provider or corporate SMTP server. Contact SMS Support to discuss if SMTP using a custom email server can help your ...Branding your portal
Intended Audience: Administrators Branding allows you to select portal colors, logos, and icons. Navigate to Settings>My Portal>Branding Portal Colors Branding colors may be set for: Header Color - horizontal banner at top of screen Background Color ...Audit Trails
Intended Audience: Admins Summary Audit trails show who performed what action on a portal, and when it happened. Download the resulting records as a CSV file for your organization's records. Audit trails: overview Audit Trails is an interface-based ...Dashboard banners: creating and updating
Intended Audience: Administrators Learn how to create and update banners for your learner dashboards. A banner image can be created with the software of your choice. The default Windows application, Paint, can be used or, applications like Adobe ...Can courses be listed in a different order on the dashboard?
Intended Audience: Administrators Administrators only may choose one of four options available - to change the setting, navigate to: Settings>My Portal>Dashboard Select Current Courses Order The four options to available are: Most recent enrollment ...