Single Sign On (SSO)

How to configure SSO (Single Sign-on)

To improve the experience for end users the platform allows you to connect your active directory to allow Single Sign on. This guide will show you how to set this up on all of the main active directory providers (Microsoft Azure and Google Workspace). Only owners of the learning platform have the ability to configure single sign-on, so please ensure you have the relevant access. Also, the single sign-on we currently provide is just-in-time provisioning and will not auto setup users as soon as they are created on your active directory users will need to engage with the learning portal by selecting "Login" for an account to be created if there isn't one already. The feature of auto-provisioning (SKIM) is currently in development, but not available as of yet. When you have successfully configured SSO the login screen will look like the below screenshot and by users selecting "Login" this will automatically SSO them into the platform. If there are any users that aren't on your active directory they can use the "Direct Login" feature below the login button. sso-1 To get started and see your unique configuration settings please select "Organisation" >> "Single-Sign-On" this will then present you with the links you need to input on your active directory along with the details you need to populate to link the two systems. sso-2 Microsoft Azure Create an application for Bob's Business: 1. In Azure Active Directory, click “View” under “Manage Azure Active Directory”. 2. In the left-hand menu, click “Enterprise applications”. 3. Select “New application”. 4. Click “Create your own application”. 5. Enter the name of your application (e.g. Bob's Business), and then click “Create”. Once the application is created, you will be taken to the “Enterprise Application Overview” page. Enable SSO for the application: 1. On the Overview page of the application that was created, click “Single Sign On” in the left hand menu 2. Click “SAML”. 3. This will take you to the “Set up Single Sign-On with SAML” page. 4. In the “Basic SAML Configuration'' panel, click “Edit”. 5. You will need to complete and save the following URL fields (found on the “Organisation > Single Sign On” page in the Bob's Business portal) : ○ Entity ID = https://yourorganisation.trainingpost.com/sso/metadata ○ Reply URL = https://yourorganisation.trainingpost.com/sso/acs ○ Sign On URL = https://yourorganisation.trainingpost.com/sso/login ○ Logout URL = https://yourorganisation.trainingpost.com/sso/logout Note- Do not use the exact links above they are examples, make sure to find your links (found on the “Organisation > Single Sign On” page in the Bob's Business portal). Next, you need to tell Bob's Business about your Active Directory service. 1. In the Bob's Business portal select “Organisation > Single Sign On”. 2. Toggle on “Enable Single Sign On”. 3. Enter the following details from the Application you just made in Active Directory: ○ Login URL ○ Azure AD Identifier ○ Logout URL ○ Certificate (Base 64 Version - Open it in Notepad and copy the text) 1. Click “Save”. Granting Permission for users to use the SSO application in Azure To ensure users do not receive the following error message (due to them not having access to the application you have created in Azure). sso-error-1 Within the enterprise application on Azure be sure to select "Users and Groups" and make sure all of your staff have access to login including any new starters. sso-error-2 To test that SSO is working, please head over to your portal login page and try signing in. If this has worked we then recommend importing all of the users silently via the Bob's Business portal so all of your staff are pre-loaded and ready to go. Google Workspace 1. In Google Workspace, go to Apps -> Web and mobile apps 2. Select ‘Add custom SAML app’ google-sso-1 1. Copy all of the following fields: google-sso-2 1. In your Bob's Business portal, go to "Organisation" >>"Single Sign On"  and turn on Single Sign On. google-sso-8 1. Enter the copied SSO URL (Login URL), Entity ID and Certificate into here: google-sso-3 1. Take the ACS URL and Entity ID from the bottom of Configuration Settings google-sso-4 1. Paste these into the Service Provider Details in these fields: google-sso-5 1. Set the NameID format as per the screenshot below: google-sso-6 1. Finally set the following attributes on this screen: google-sso-7 First Name -> http://schemas.microsoft.com/identity/claims/displayname Primary Email -> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress OKTA 1. In Okta Admin space go to Applications and click Create App Integration 2. In another tab, go the the LMS, and click on Organisation and then Single Sign On 3. Copy the URLs from the LMS configuration settings into the SAML settings. The single sign on URL is the Reply URL (ACS) and Entity ID is the Audience URI  4. Set the name ID format to “persistent” and the username to “Email” 5. Configure the attribute statements as below: The name must be as follows: - http://schemas.microsoft.com/identity/claims/displayname - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress 6. Confirm the settings and then click “View SAML setup instructions” 7. Copy paste the details on this page into the LMS 8. The sign out URL can be found on the Sign On page in SAML metadata details If you have any questions or need assistance please email support@bobsbusiness.co.uk and we would be happy to help

How to setup SCIM Single Sign-on (Okta SCIM Setup)

This article will show you how to enable SCIM in your current SSO setup. SCIM is used to auto-provision users via your active directory. 1. In order to utilise SCIM with Okta, you first need to setup SAML SSO - please follow our SSO guidance on this before attempting to setup SCIM provisioning. If you already have this in place you do not need to do this again. 2. On your portal enable SCIM provisioning under Organisation > Single Sign On, save the Tenant URL for later - You can either invite users on creation or choose to manually send the invites after they’re provisioned. 3. On your LMS portal click on Organisation > API Integrations and create a token with the permissions: users.read, users.write, groups.read and groups.write 4. Save the token string 5. On your app in Okta, enable SCIM Provisioning under General > App Settings and save the changes 6. Open the new Provisioning tab 7. Enter the details below: - Your SCIM connector is your Tenant URL from the LMS (your URL + scim/v2) - UID for users is userName - Tick all boxes for actions - Authentication mode is HTTP Header  8. Fill your HTTP token using the API key generated from the LMS and click test configuration 9. Once completed, ensure the following options are enabled in the settings: SCIM-11 10. Then ensure attribute mapping is configured as follows: SCIM-12 11. The integration can then be used by visiting the ‘Assignments’ tab and assigning users and groups. 12. In order to sync groups, you must use the ‘Push Groups’ tab on the custom app integration. If you do not see this option and pushing groups is unavailable to you - you may need to speak with Okta to get this enabled for your tenant. If you need any support please email support@bobsbusiness.co.uk and we can assist.

How to setup SCIM Single Sign-on (Microsoft Azure AD/Entra SCIM Setup)

This article will show you how to enable SCIM in your current SSO setup. SCIM is used to auto-provision users via your active directory. Microsoft Azure AD/Entra SCIM Setup Please note! Before starting this process if you already have users on your learning platform duplicate accounts will be added if all existing users do not follow the same format of email address you are passing across. By default, the attributes in the steps below will pass across the User Principle Name from Azure as the email address. We therefore recommend checking everyone's current accounts on the platform match up with users principle names on Microsoft Azure. If you need any assistance, please contact support@bobsbusiness.co.uk. 1. Please follow and utilise our guidance on setting up Single-sign-on (SSO) for Microsoft Azure AD/Entra in order to create your initial ‘Enterprise Application’. If you already have this in place you do not need to do this again. 2. Once you have setup SSO successfully, enable SCIM from within your organisation under the ‘Single Sign On’ page. You can either choose to invite users on creation or invite them manually after you’ve provisioned them via SCIM. Note down the ‘Tenant URL’ here. 3. Next you will need to create an API token for SCIM by going to ‘Organisation’ -> ‘API Integrations’ -> ‘Create New Token’ 4. Give the token the following permissions: 5. Save the API key for the following step. 6. Go to the Enterprise Application you set up for Bob’s Business - in the left hand menu, select ‘Provisioning’, set ‘Provisioning mode’ to ‘Automatic’ and fill it out with the Tenant URL and API key you generated. Then test the connection. 7. After the connection has been tested and saved, a new dropdown should appear on the page for 'Mappings'. Expand this to see links to provision Active Directory for Users and for Groups. 8. Setup the mappings for the users as follows: Please ensure the attributes are the same as above, these are the only attributes that can currently be passed over to the platform. The only exception would be if you want to pass across the "Mail" instead of "User Principle Name" but please ensure this reflects the current data on your platform before doing this. 9. Setup the mappings for groups: Again, Please make sure to add the same attributes as shown in the screenshot above. 10. Assign your users to the application. 11. Click 'Start provisioning' to start automatic provisioning. This will send data to your organisation roughly every 40 minutes. The first sync usually happens within 5 minutes but can take longer. From this page, you should be able to see the status of the latest sync along with a count of the number of users and groups that have been synced. You can stop and start automatic provisioning at any time. 12. If you wish to test syncing outside of the automatic cycle, you can click on 'Provision on demand'. This allows you to manually select some users and groups and sync them immediately. (Note: if you are syncing a group on demand, you must manually select any members you want to sync at the same time - there is a limit of 5 members per on-demand sync). When you provision on demand you should see output from the sync almost immediately.