Single Sign-On (SSO) API
As of 11.0.14 / 11.6.0, LearningBuilder supports SSO via SAML. That is the preferred approach (when possible) because it does not require any custom integration programming in either LearningBuilder or the 3rd party system.
See https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/2983624740 and https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/3360817263
Overview
The Single Sign-On (SSO) API allows individuals to seamlessly transition into LearningBuilder from a 3rd party “identity provider”, such as an association management system, where that user is currently authenticated.
SSO is usually implemented in circumstances in which a customer has an existing member management system and wishes most interactions to take place within that system. The mechanism ensures individuals are able to access LearningBuilder directly from their membership profile without logging on to a separate system.
SSO is often used in conjunction with Demographic Synchronization, which updates demographic data in LearningBuilder, upon user sign-in, to match data in the identity provider. (For example, pushing updated contact information into LearningBuilder)
Implementation summary
To implement SSO you will need:
A shared secret key between LearningBuilder and the 3rd party system;
An ability to add a link into the 3rd party system (e.g. AMS/CRM) that redirects users to LearningBuilder, including an authentication token based on the secret key;
To implement Demographic Synchronization you will need:
An API endpoint (hosted by the identity provider) that LearningBuilder can call to obtain updated demographic data.
Visual Representation
The following diagram represents common scenarios for constructing the visual integration for single sign-on.
(TODO: diagram got corrupted at some point; should be recreated)
Figure 5.1. Illustrates the single sign-on path from a typical member profile.
Data Flow
The data flow for single sign-on authentication and navigation.
(TODO: diagram got corrupted at some point; should be recreated)
Technical Specifications
Preliminary LearningBuilder configuration
The following parameters must be configured (by a Sys Admin) in LearningBuilder’s App Config system:
App Config setting | Purpose |
---|---|
| Users are redirected to this URL if they access a page in LearningBuilder without an active user session. As part of SSO, this should normally be configured to redirect unauthenticated users back into the identity provider. If not specified, the default value is |
| Users are redirected to this URL when they log out of LearningBuilder. As part of SSO, this should normally be configured to redirect back to the identity provider. Logging out of LearningBuilder will not log users out of the identity provider at the same time. |
| A secret key, preferably something random, that is shared by both parties. |
| In most cases this should be the same as |
SSO login link
SSO is initiated from the 3rd party identity provider, where the user must already be logged in.
A link on that site points to LearningBuilder, passing the following parameters:
https://<ClientId>.LearningBuilder.com/account/sso
?UniqueId=[UniqueId]
&t=[TimeStamp]
&token=[Token]
&SuccessURL=[SuccessURL]
&FailureURL=[FailureURL]
&bypassDemographics=[bypass]
Parameter | Explanation | Comment |
---|---|---|
| The LearningBuilder Unique Identifier of the visitor attempting to sign on to LearningBuilder through the external system. | See https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/2319253584. |
| A time stamp generated to establish the authentication token. | See https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/2319253584. |
| The signed token. | See https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/2319253584. |
| Where to redirect after a successful login. This is useful if you want the user to land on a page other than their default landing page. A list of supported Success URLs is found on the https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/2319417430 page. | Optional. If omitted, user is sent to their default landing page. If this is not part of LearningBuilder, the provided URL must be fully qualified and start with HTTP:// or HTTPS://.
|
| The landing page of the external system when sign-in is not successful. | Optional. If not provided, the user will be taken to the default error page. |
| Set to "true" to bypass the https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/2319384666. | Optional. Defaults to false. |
Demographic Synchronization
If the sign-in succeeds and a Demographic URL is provided, LearningBuilder will perform a demographic synchronization during the login process.
As part of this process LearningBuilder will call back out to the identity provider (passing the same sort of token used on the inbound link), requesting information about the newly logged-in user. The identity provider must return an XML document containing the relevant information that should be saved in LearningBuilder.
For more details see https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/2319384666