As of 11.0.14 / 11.6.0, LearningBuilder supports SSO via SAML. That is the preferred approach (when possible) because it does not require any custom integration programming in either LearningBuilder or the 3rd party system.
See SAML Identity Management and SAML SSO vs legacy Demographic Sync (DRAFT)
The single sign-on (SSO) API allows individuals to log in to other systems and use those credentials to access LearningBuilder™. Single sign-on is usually implemented in circumstances in which a customer has an existing member management system and wishes most interactions to take place within that system. The mechanism ensures individuals are able to access LearningBuilder™ directly from their membership profile without logging on to a separate system.
Single Sign-On Implementation
Implementation requires the following components:
An ability for the AMS/CRM to send users to LearningBuilder™ (e.g., a link or button);
A mechanism to generate an authentication token (see section 4);
A mechanism to send token and user identity to LearningBuilder™ through a query string;
A URL to redirect users to when sign-on succeeds (optional);
A URL to redirect users to when sign-on fails (optional); and
A URL to redirect users to when signing off.
Visual Representation
The following diagram represents common scenarios for constructing the visual integration for single sign-on.
Figure 5.1. Illustrates the single sign-on path from a typical member profile.
Data Flow
The data flow for single sign-on authentication and navigation.
Technical Specifications
The following technical specifications define the means by which to log on to LearningBuilder™ from an external system.
Logging in from the external system
If the sign-in succeeds, LearningBuilder™ will execute a demographic synchronization if a Demographic URL is provided (see section 6) and then redirect the user to their LearningBuilder™ landing page. If the sign-in or demographic synchronization fails, LearningBuilder™ will redirect the user to a landing page on the external system.
To connect via single-sign on, the external system will need to construct a querystring with the following contents:
Component | Explanation | Comment |
|---|---|---|
| A LearningBuilder™ sub-domain, usually the client’s acronym. | Custom URLs are acceptable. |
| The identifier of the visitor attempting to sign on to LearningBuilder™ through the external system. | See Secure Tokens. |
| A time stamp generated to establish the authentication token. | See Secure Tokens. |
| The encrypted token. | See Secure Tokens. |
| The landing page when sign-on is successful. This is useful if you want the user to land on a page other than their default landing page. A list of supported Success URLs is found on the Redirecting after SSO page. | Optional. If the URL to redirect to is for a page outside of LearningBuilder™, then the provided URL must be fully qualified, i.e. begin with 'HTTP://'. If not provided, the user will be taken to their default landing page. |
| The landing page of the external system when sign-in is not successful. | Optional. If not provided, the user will be taken to the default error page. |
| Set to "true" if you are not using the Demographic Synchronization Service , or are testing and want to bypass it. | Optional. If true, the demographics synchronization will be skipped. |
Logging off from LearningBuilder™
When the user logs off of LearningBuilder™, they are redirected to the LogOffURL. This URL is specified through configuration of LearningBuilder™ and must be provided to the technical team during system configurations.
In addition, a CustomLoginUrl can be defined which Users will be redirected to upon login when they do not have an active session. When not specified, it defaults to /account/login/.
Please create a Support Ticket to make changes to the LogOffURL and CustomLoginUrl.