Single Sign-On (SSO) API

As of 11.0.14 / 11.6.0, LearningBuilder supports SSO via SAML. That is the preferred approach (when possible) because it does not require any custom integration programming in either LearningBuilder or the 3rd party system.

See SAML SSO and SAML SSO vs legacy Demographic Sync (DRAFT)

Overview

The Single Sign-On (SSO) API allows individuals to seamlessly transition into LearningBuilder from a 3rd party “identity provider”, such as an association management system, where that user is currently authenticated.

SSO is usually implemented in circumstances in which a customer has an existing member management system and wishes most interactions to take place within that system. The mechanism ensures individuals are able to access LearningBuilder directly from their membership profile without logging on to a separate system.

SSO is often used in conjunction with Demographic Synchronization, which updates demographic data in LearningBuilder, upon user sign-in, to match data in the identity provider. (For example, pushing updated contact information into LearningBuilder)

Implementation summary

To implement SSO you will need:

  • A shared secret key between LearningBuilder and the 3rd party system;

  • An ability to add a link into the 3rd party system (e.g. AMS/CRM) that redirects users to LearningBuilder, including an authentication token based on the secret key;

To implement Demographic Synchronization you will need:

  • An API endpoint (hosted by the identity provider) that LearningBuilder can call to obtain updated demographic data.

Visual Representation

The following diagram represents common scenarios for constructing the visual integration for single sign-on.

(TODO: diagram got corrupted at some point; should be recreated)

Figure 5.1. Illustrates the single sign-on path from a typical member profile.

Data Flow

The data flow for single sign-on authentication and navigation.

(TODO: diagram got corrupted at some point; should be recreated)

Technical Specifications

Preliminary LearningBuilder configuration

The following parameters must be configured (by a Sys Admin) in LearningBuilder’s App Config system:

App Config setting

Purpose

App Config setting

Purpose

CustomLoginUrl

Users are redirected to this URL if they access a page in LearningBuilder without an active user session.

As part of SSO, this should normally be configured to redirect unauthenticated users back into the identity provider.

If not specified, the default value is /account/login

LogOffURL

Users are redirected to this URL when they log out of LearningBuilder.

As part of SSO, this should normally be configured to redirect back to the identity provider.

Logging out of LearningBuilder will not log users out of the identity provider at the same time.

TokenSecretKey

A secret key, preferably something random, that is shared by both parties.

OutgoingTokenSecretKey

In most cases this should be the same as TokenSecretKey. It can vary in the event that the identity provider and the demographic data provider are different.

SSO login link

SSO is initiated from the 3rd party identity provider, where the user must already be logged in.

A link on that site points to LearningBuilder, passing the following parameters:

https://<ClientId>.LearningBuilder.com/account/sso ?UniqueId=[UniqueId] &t=[TimeStamp] &token=[Token] &SuccessURL=[SuccessURL] &FailureURL=[FailureURL] &bypassDemographics=[bypass]

Parameter

Explanation 

Comment 

Parameter

Explanation 

Comment 

UniqueId

The LearningBuilder Unique Identifier of the visitor attempting to sign on to LearningBuilder through the external system. 

See Secure Tokens

TimeStamp

A time stamp generated to establish the authentication token. 

See Secure Tokens

Token

The signed token.

See Secure Tokens

SuccessURL

Where to redirect after a successful login. This is useful if you want the user to land on a page other than their default landing page.  

A list of supported Success URLs is found on the Redirecting after SSO page. 

Optional.  If omitted, user is sent to their default landing page.

If this is not part of LearningBuilder, the provided URL must be fully qualified and start with HTTP:// or HTTPS://.

 

FailureURL 

The landing page of the external system when sign-in is not successful. 

Optional.  If not provided, the user will be taken to the default error page. 

bypassDemographics

Set to "true" to bypass the Demographic Synchronization Service.

Optional. Defaults to false.

Demographic Synchronization

If the sign-in succeeds and a Demographic URL is provided, LearningBuilder will perform a demographic synchronization during the login process.

As part of this process LearningBuilder will call back out to the identity provider (passing the same sort of token used on the inbound link), requesting information about the newly logged-in user. The identity provider must return an XML document containing the relevant information that should be saved in LearningBuilder.

For more details see Demographic Synchronization Service

 

Related pages