Pre-requisites
- SSO must be purchased and activated on the system. This will add the extra menu in System settings called Authentication options. If you do not have this, contact your Account Manager.
- System settings can only be accessed with a full purchase of Blue LMS, if you do not have access to this menu you need to contact Helpdesk for assistance in setting up SSO.
Note: It is the customer’s responsibility to ensure the following pre-requisites are in place:
- Your chosen authentication source can operate as a SAML 2.0 compliant Identity Provider (IdP).
- The IdP should be externally accessible to HTTPS calls from the Blue LMS server, this allows the system to check the validity of metadata during authentication.
Additional Note
- Administrator accounts are always manual accounts, this is to prevent any accidental lock-out in the event of an SSO provider being inaccessible, or the XML metadata being updated or refreshed.
Steps to Create SSO in OKTA
- Log in to your OKTA account
- On the admin dashboard, select Classic UI' (not“Developer Console”) if not already selected
- Add an application in OKTA from the shortcut on the right (or the applications menu)
- Choose 'Create New App' from the left-hand menu
This will open a new modal window. -
Create a new application as Platform “Web” and sign on method “SAML 2.0”.
-
Fill in an App name and logo which can be made visible to users on their OKTA dashboard.
7. Switch to Blue LMS and fill out the details found under Setup > System settings > Authentication options > Add integration. The system will provide you with the SSO Identifier and Reply-to URL, along with the Mapping IdP.
8. Switch back to Okta and do the following:
- Copy SSO Reply-to URL value into Single sign-on URL box, and make sure Use this for Recipient URL and Destination URL is checked.
- Copy SSO Identifier / Metadata value into Audience URI and SAML Issuer ID boxes (need to click “Show Advanced Settings” to see the bottom box).
- Name ID format and Application username should match what is expected in BlueLMS (e.g. screen above shows usernames as being e-mail addresses)
8. Names in left column should match those configured later in BlueLMS.
L_uname = username, l_fname = First Name, l_lname = Surname, l_mail = email address
9. Set as internal app and Finish
10. Download the Identity Provider metadata after setup and copy the XML text (as below) for use in the BlueLMS setup/configuration.
11. Assign the new application to users as required using the “Assignments” tab and the “Assign” button.
Blue LMS setup for OKTA
In order for you to modify these setting you must have Master admin access. Contact the helpdesk if you cannot see the following.
Proceed to Setup -> System settings -> Authentication options -> Add integration -> Type: SAML 2.0, Name: [as required].
Use the SSO Identiier / Metadata and SSO Reply-to URL values in the OKTA setup.
Paste the IdP Metadata XML from OKTA into the IdP metadata (xml) box.
The Mapping IdP value should be set to the mapping field in OKTA that contains the value which will be the username – in the example screenshots, l_uname was mapped to the email address field, which means BlueLMS will use email addresses as the username.
All the other mapping field names in the box below should match what was configured in OKTA.
Other settings on this page are the same as for other SAML integrations.