You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close
You are viewing the article in preview mode. It is not live at the moment.
Our offices will be closed from Tuesday, December 24th through Wednesday, January 1st. We will reopen on Thursday, January 2nd. During this time, we will continue to monitor and handle critical support items, but responses to most tickets and inquiries will likely be delayed.
announcement close button
Home > Manage Users & Settings > Learner Access via Single Sign-On (SSO) > Configure Learner Access via SAML 2.0 Protocol
Configure Learner Access via SAML 2.0 Protocol
print icon
Maggie Matwiej
Dec 20, 2024
views icon 1516

This article covers:

  • SAML 2.0 Overview
  • SAML 2.0 Set-Up
  • Set-Up Requirements Provided by the Customer
  • Set-Up Requirements Provided by BenchPrep

 

SAML Overview

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions).

 

At a high level, the authentication flow of SAML looks like this:

 

Key SAML 2.0 Concepts

  • BenchPrep will act as the Service Provider (SP), which is the entity providing the service.
  • The Customer will act as the Identity Provider (IdP), which is the entity providing the identities, including the ability to authenticate a user. 
  • Identity Provider Initiated (IdP-initiated) sign-in describes the SAML sign-in flow initiated by the Identity Provider to the Service Provider to assert the user's identity.
       -   This sign-in flow is BenchPrep’s preference.
  • Service Provider Initiated (SP-initiated) sign-in describes the SAML sign-in flow when initiated by the Service Provider, triggered when the user tries to access content or sign in directly on the Service Provider side.
  • SAML Request is generated by the Service Provider to "request" an authentication. This is only applicable in SP-initiated sign-ins.
  • SAML Response is generated by the Identity Provider and contains the actual assertion of the authenticated user.

 

SAML Set-Up

The SAML SSO method uses an XML document to send information about each individual user during login.

 

BenchPrep expects user information to be contained in the saml:AttributeStatement and saml:Subject elements in the SAML Assertion. Attributes that BenchPrep requires to create and manage the user account can be extracted from the XML via an attribute mapping. This mapping can be configured during planning & implementation.

 

SAML Response Attributes

For a SAML 2.0 SSO integration, BenchPrep requires some fields in order to create and login a learner.  Additional optional fields can be configured to allow greater flexibility. The names of the keys sent are configurable.

 

Required Attributes: 

  • identifier: Typically a UUID, provided by the Identity Provider, this is the unique identifier of the user within the identity management system (must be unique)
  • name: Learner’s full name (can be provided as a collection of fields or one field)
  • email: Learner's email (must be unique)

Optional Attributes:

  • course_slugs: If course authorization occurs via course slugs
  • branch_slug: If present and valid, the user will be assigned to the slug of the branch included
  • group_ids: Comma separated string of group ids (example: “13724,149223,23081”) that a user will be assigned to upon login

 

Example XML

 

Technical Specifications for Course Authorization

Option 2: Course Slugs in Login Payload

 

Authorization data can be passed in the XML as an embedded JSON string in the mappable course authorization attribute, shown in the example XML above. This JSON must be in the format specified below.

 

JSON Schema specification:

 

Please Note: Regardless of the option chosen, course Authorization via SSO is the sole enrollment method and will override any existing enrollment specifications defined by users' Plans/Contracts.

 

Setup Requirements Provided by the Customer

In order to set up a SAML SSO integration, the following information is required:

 

saml_metadata Customer’s metadata for the SAML identity provider including certificate
Logout_url (optional) Static URL in which to redirect the user after they logout from BenchPrep. This url can contain static query parameters if necessary but currently will not dynamically contain any user information.
Attribute mapping Where user attributes included in the SAML response are extracted


Mappable Attributes

Attribute Name Example

identifier

NameID
name username
email email
sis_id (optional)  
course_slugs authorized_courses

 

Setup Requirements Provided by BenchPrep

BenchPrep will provide the following:

Service Provider saml_metadata

BenchPrep’s XML metadata as the SAML service provider.

 

This XML is installed by the Customer as specified by the IdP.

 

The AssertionConsumerService entity in the XML metadata will contain a Location value  that specifies where the User should be sent with the SAML Assertion

 

Feedback
0 out of 0 found this helpful

Tags

close button
scroll to top icon