Overview
Blue LMS contains authentication options that allows the site administrator to configure one or more instances of a SAML2.0 compliant SSO module, each one able to connect to a different Identity Provider (e.g. ADFS, Azure ADFS or G Suite).
Pre-requisites
- SSO must be purchased and activated on the system. This will add the extra menu in System settings called Authentication options. If you do not have this, contact your Account Manager.
- System settings can only be accessed with a full purchase of Blue LMS, if you do not have access to this menu you need to contact Helpdesk for assistance in setting up SSO.
Note: It is the customer’s responsibility to ensure the following pre-requisites are in place:
- Your chosen authentication source can operate as a SAML 2.0 compliant Identity Provider (IdP).
- The IdP should be externally accessible to HTTPS calls from the Blue LMS server, this allows the system to check the validity of metadata during authentication. This can be done by allowing calls from our servers (IP on request) via a port in the customer firewall.
Additional Note
- Administrator accounts are always manual accounts, this is to prevent any accidental lock-out in the event of an SSO provider being inaccessible, or the XML metadata being updated or refreshed.
Steps to Create SSO in G Suite
- Log in to G Suite
- Go to the Admin area and locate Apps / SAML apps
- Choose the option to Enable SSO for a SAML Application and choose to set up your own custom App
- Download the IDP metadata for sharing to Me Learning (If you have access to System settings you can setup the Blue LMS side without Helpdesk.)
- Name the App, add a description and upload a logo
- Once the metadata is entered on Blue LMS, you need to complete your App configuration, the ACS URL and Entity ID
- Add the following attribute mappings
- Set the status on the SAML application to ON for everyone
For more instructions, follow this link: https://support.google.com/a/answer/6087519?hl=en
If your site has a number of existing users, they are able to migrate to using Single sign-on instead of username and password, notifications will present these users with the option to migrate their account to SSO on their next login.
Setup on Blue LMS
To set up single sign-on, access System settings from Setup in the main menu bar. Access the final option in the left-hand menu: Authentication settings:
Note: You will only have access to this if you have the full version of Blue LMS, otherwise you must contact the Helpdesk team to setup this side for you.
This page displays a list of all configured authentication options, along with options to disable/remove/edit each existing integration and add new integrations.
Please note, that you can only remove an inactive authentication integration. This is to prevent accidental deletion and loss of access to users.
To add a new integration for single sign-on, select the Add integration button and enter a name:
The name you add here will appear on the Login button e.g.
The first two fields are for information and should be noted for configuring the Identity Provider.
The integration name can be edited if required and a description can be entered. This information will be displayed on the learner login page and on the SSO migration page.
The metadata field should have the Identity Provider’s (IdP) metadata pasted directly, or a publicly accessible URL for the system to grab the data itself.
Metadata can be downloaded from the LMS if the IdP requires the Service Provider (SP) metadata to be supplied manually– some IdP’s will collect this automatically (e.g. Azure).
Auto create users allows the system to create a user account for any user who does not already have an account when they initially authenticate using SSO.
If your site has a number of existing users, they are able to migrate to using Single sign-on instead of username and password. The setting Send user notifications will present these users with the option to migrate ther account to SSO on their next login.
Selecting the Save settings button will add the new integration to the table within Authentication options where it can be edited if required.