Veracity can integrate with your single sign on provider using OpenID Connect or Security Assertion Markup Language (SAML). This integration allows your enterprise users to log into the LRS user interface without providing a password. Integrating a single sign on provider does not automatically disable local accounts.
SSO integration is an Enterprise feature.
For SaaS customers, Veracity will manage your SSO integrations. Contact support to schedule your SSO configuration.
Installing and Configuring SSO
Both SAML and OIDC integrations are system level plugins, and must be enabled in the plugin admin area.
Choose "Activate a Plugin"
Find OpenID Connect or SAML. Click Activate.
You will be presented with a configuration dialog. Below is a description of the configuration prompts.
OIDC configuration values
- Display Name - a name for the plugin. Users will see this name on the login page
- Active - whether or not the plugin is activated. Setting this to false will disable the plugin without forgetting its settings.
- Override Auth - Use this plugin to replace the normal login flow. Rather than being presented the login page, users will automatically be redirected to the SSO provider. This setting may make it impossible to access the system, if the SSO configuration is incorrect! In this case, you'll need to restart the server with the flag --disablePlugins=true.
- Client ID - this value will be provided by your SSO vendor
- Client Secret - this value will be provided by your SSO vendor
- Issuer - this value will be provided by your SSO vendor
- Scope - this value will be provided by your SSO vendor. Generally, you'll include both "email" and "openid"
- Response Type [code, ID Token, Token] - this value will be provided by your SSO vendor
- Redirect Override URI - override the callback URI supplied by the server to the SSO provider. This is only necessary in configurations where the LRS is behind a proxy and cannot properly construct it's own callback URI.
- Login Success Redirect - The page to redirect the user to on successful authentication
- Create Users - whether a new user should be created in the LRS for successful logins that do not currently have LRS accounts.
SAML configuration values
The SAML plugin is not bundled into the software build. Contact Veracity for a copy of the plugin code.
- Display Name - a name for the plugin. Users will see this name on the login page
- Active - whether or not the plugin is activated. Setting this to false will disable the plugin without forgetting its settings.
- Issuer - this value will be provided by your SSO vendor
- Entry Point - this value will be provided by your SSO vendor
- Certificate - this value will be provided by your SSO vendor
- Username Attribute ID - This is the ID of the SAML attribute that should be mapped to the users username
- Email Attribute ID - This is the ID of the SAML attribute that should be mapped to the users email address
- Signature Algorithm - this value will be provided by your SSO vendor
- identifierFormat (Name ID Policy) - this value will be provided by your SSO vendor
- metadataSignatureCert - This value should be the public key certificate that matches with the private key supplied in the privateKey setting
- privateKey - an RSA private key. This should be the private key paired with the public certificate in metadataSignatureCert
- Want Assertions Signed
- Create Users - whether a new user should be created in the LRS for successful logins that do not currently have LRS accounts.
Example Certificates
The certificates below illustrate the expected formats for the various certificate settings. Don't use these exact certificates, they are for reference only! Generate new ones using OpenSSL.
metadataSignatureCert
-----BEGIN CERTIFICATE-----
MIIF2zCCA8OgAwIBAgIUE7eOoztHY7Gs6HakivGc4gepXfMwDQYJKoZIhvcNAQEL
BQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1EMRIwEAYDVQQHDAlSb2Nrdmls
bGUxDDAKBgNVBAoMA1ZUQzEfMB0GA1UEAwwWYmV0YS5lbnRlcnByaXNlLmxycy5p
bzEeMBwGCSqGSIb3DQEJARYPcm9iQHZlcmFjaXR5Lml0MB4XDTIzMTIwODE5NTQz
MloXDTI0MTIwNzE5NTQzMlowfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1EMRIw
EAYDVQQHDAlSb2NrdmlsbGUxDDAKBgNVBAoMA1ZUQzEfMB0GA1UEAwwWYmV0YS5l
bnRlcnByaXNlLmxycy5pbzEeMBwGCSqGSIb3DQEJARYPcm9iQHZlcmFjaXR5Lml0
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1rxs4q/UFwhzQX2La6wJ
mT0xsauubWbjV+gK6opS0h1Si47YeEJ0JrXOCtoU/+SHNTQqZrszqIWhWcn9uBi7
ILGhx5sAQmL1Sfi/rRg4Qpk8tyE2lEr2MW3I31u+q6noWEfeGvd0a8laVEcuYpwo
EtUwZ6yPjDc0Jv8CP5Q6kh/eCkjRISPuv7o55uxzLg22E+JclMxG5ZG+SmGHhbWm
91rnpiegx8wP7arO/WtE22+cgXk6Z1BTp0Q88ID0/xLXX7wWb0WMGCLI3Mm3ZPmW
l9OX2VLXKUxYmwlU/27OEFxkO/pbhr/qgnjyRrlsA6PU8pKLd8g5Qn4MzZIKK4Kf
z0tvqvL2xZLAv7bGNC6iY+JCrh05mm3OltgPyWfrDNiEGXfkqbcburOpUq8/Frqv
oy7qv0B/GQ3NHjaRi2ewXzWkg0MromRnRLXvV5JeY43rWzmraiXnANlX5GV225Kz
Noak2r8B76GKjoGySwuDBLfscHy4riZCaYA0HJQySJheurgJrg5O/SBD4/vmofIs
vcfhjNSlyJQbBrm7OJFwTk4MFwhRptiCo++GDaucq37oZj+eS0aZfsihOH+cKLz9
TlHhLSWSjuqA3N7z66oAF3BH36oB17O8QbhAlS2MMLftE0FJKG/GUnABAuEprm2c
YKC2P75dchFvK9ljrEPX8SECAwEAAaNTMFEwHQYDVR0OBBYEFGE/wXs5kHWrhPgo
Gw6gXT11EwR2MB8GA1UdIwQYMBaAFGE/wXs5kHWrhPgoGw6gXT11EwR2MA8GA1Ud
EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGRmd0+tQ9njwDFtlIIdg1rq
h0NRAMYI/y1WYWYYUl3Lg4vj3LjSlF4wggUTt6Sv6p8cbqrTnHdeXfq8ZXscNr0s
LYvVDjyYXkeTEZdk1XvktwmWDBITXb+SJdXdMJeoKwoiAaQp0VD473dze0azRzlm
xcnQkCKuLo+vtKodnGCNrj99sFKIjVkJcgn+d24TSVM9m38rnID3zUWFOeUpVLT4
8zW6NFkd8AsXvYASeLjhFZRYCHwncRwu45xaveY7hfu5h5V5d90qTugbauopWeix
8LaYD2iMHgCAl8ZqAadzWjMwyNDeHMHApYZgBVvqdEBMUvVggFREFTjw6ab2TMRI
fYt7LfeZwN5fWf2etwsqOwtDWnKYMjKAwmNyQ1duQs/XMaw6OK0kMwyn0GGMx8Da
S/k5jyj4iIMOeiFiioEdhCSOrHXVusEg2YYhv1VDpU+e3GFaYMFJk37rHvcBthE6
stl8VYjGG2RYnLE9B6cqAy+tyaPE3pQdoeUX7OFltwgX9quvbEx8Re/XhqGd7mdh
eF3plphF5POaXJM90ec4tWUAnQZNWzRYdSlpc5EDrCt8TqVeBsyC5GsaUGVGQp9r
opOP+yYVByboV4wfqxRn0CMbMtDs/tzh5iqbdxw829F0O30PyhZ4K2wMHNadOHy7
rCy1jmdwpKdM4dhYIYAz
-----END CERTIFICATE-----
privateKey
-----BEGIN RSA PRIVATE KEY-----
MIIJKgIBAAKCAgEA1rxs4q/UFwhzQX2La6wJmT0xsauubWbjV+gK6opS0h1Si47Y
eEJ0JrXOCtoU/+SHNTQqZrszqIWhWcn9uBi7ILGhx5sAQmL1Sfi/rRg4Qpk8tyE2
lEr2MW3I31u+q6noWEfeGvd0a8laVEcuYpwoEtUwZ6yPjDc0Jv8CP5Q6kh/eCkjR
ISPuv7o55uxzLg22E+JclMxG5ZG+SmGHhbWm91rnpiegx8wP7arO/WtE22+cgXk6
Z1BTp0Q88ID0/xLXX7wWb0WMGCLI3Mm3ZPmWl9OX2VLXKUxYmwlU/27OEFxkO/pb
hr/qgnjyRrlsA6PU8pKLd8g5Qn4MzZIKK4Kfz0tvqvL2xZLAv7bGNC6iY+JCrh05
mm3OltgPyWfrDNiEGXfkqbcburOpUq8/Frqvoy7qv0B/GQ3NHjaRi2ewXzWkg0Mr
omRnRLXvV5JeY43rWzmraiXnANlX5GV225KzNoak2r8B76GKjoGySwuDBLfscHy4
riZCaYA0HJQySJheurgJrg5O/SBD4/vmofIsvcfhjNSlyJQbBrm7OJFwTk4MFwhR
ptiCo++GDaucq37oZj+eS0aZfsihOH+cKLz9TlHhLSWSjuqA3N7z66oAF3BH36oB
17O8QbhAlS2MMLftE0FJKG/GUnABAuEprm2cYKC2P75dchFvK9ljrEPX8SECAwEA
AQKCAgEAz6HoQxSypgbUswl6qwTxTwu9pkcT5NLslo5XJ8vSIzqZGzpnE3lmKBv4
+8M9NOU623XyXd07KQL1LgXC36SCJC29+Wxlxss61GjCpdNaawMSkxx5UtBc1xSJ
e3eRmRk0AVCUcUy+dI6AWidtsYm+sd8T69sN/g1OzzoaaXGhZLONljIsjLfa3eZq
oGAXSvuVCAsDbBlNoCLZdcByMxafOGPcw2tj6mzlJfDYLm/vZ6K3GPYoQ8eG66Bu
sDpxKsaEHByZMMR1nszbnakqPGeddnbxSADy7QrWTiqq1kXE2EsN3HTK1TNyxO+/
jCU0TRy4BkkutAaVXzbUmF1Smhm2/QrtLiTArMsxo2P6/96R887ILyVM1OcFvxhN
2QyJLCy9y/KS36xMAB6gsarJDZVD61InUYZCbrvGNeQqfXUju5DsUFkoi/xFObpA
XaIErlV9PG1jrbCLavkWTzylWzTzRI5zKTAThoN4yV7EEfy/bt5XthB0YdSf8qZf
XDmYXIGEXzHZQN45Ed16uc8vBD0SuDE2k9aNapLB4zW8Qo1Zw2BfugcTHvKP2xXR
CV0Xy/31IgZ4lQXRX25VZBedkRSHl/Hq7nNV+okSruFFAGr9ut5Pxw2i8AEECp65
WT2mzbs2jzh9ZXBq/1638Q9Ko/Xu041N2BS1+Ex2sDF9+mJFITECggEBAPRVTT3U
hCHia4XnxAMVFVWWJ/u/0ATxON1XieOuLoPBrn9zZcpd84jBfsOIxqY9qjlIP2j1
O2dAi8zOPSuJnXxSq1spHoErkUpvrVEzjWmd8vMZbPkNsgK3lRgNqlleyDo0aTdi
Ij2OfLy6exjp2RGgYUfaw737KgarQHHtwJ+owj0uRoYZiGm00t1c5YeUuD2/W3G0
nYhKxXQ3v/71CH8xQJkPkmoWjctcVyhHszzsjUfUdNQn9nY6va1V5ESGjhiBEdRa
f8ck63ZOPuj34VNmacIgbErs23JFTB9l+O7wjZgmygbgSBq36sd5tfsOMyF9IG5p
vZLbJfW2ryt3zcUCggEBAOD9VN1Y1ee6AzGfbfZKpOG6gY9McmDWyB4c5zEzw40o
3Xtk7kR+7saNi2RJO1u40Q7M4e5ETMsmc04PbPSQmPF2Mlw3SXK8Nj91ysxB5gFq
h+KC5l6UJ/YH3IbmOssGPOaTeGNx1bFC54jn9PtEHxtZTeqHNB44lhdpP/ZYI9tg
y8c+kC3NPGt/FYoK64QyzXiW6l+zerwx1UnUiofjSIOf7FTPCqDBWDCUtQWUVYre
sTB2/KJKJa66MQBlAfyXhSKwL9B0q1Jguvr3XIf2/4vx9S/h6fQH1Vdjq7IgNYn0
r+etKVbZ1TXlEJbf9nEAO3dW/swqF99dUSea03nTh60CggEAeX9VepKL5gGecCbQ
zKuWQUn6tfAq89oz6bUXB1XdIX2VVSFAE8JmULHPZFJGXfI6DGQFzB5uHKj3G6/O
sTCsVF8TgLBQz/CnPfmMmN1my4dUgVg6XRpXU4yQojZhaDF+pZrcW0L8Pdn14y9j
+P6IB4DV/xIk1froagqMcFrGt14GwL+bKCHYOKBHXvZL2QC2IVZflYo378cmquTy
H0kfoYgPVE1vBDwU5HQVjx0gXwJOOtLGCZ2ZrC8HlQMqEH1MeZjtEciy04djYyAD
nnts27kIjBTtZNClSwx0jwR5JfAOqQNY4NR0ZnzgTbMTMDVebZ+4Gc+RCk7ZcHcY
Yigf9QKCAQEAuXcbZfu9GPB1gYpzEvwlPw6HjqDuCHYFMQ2SZzTMlqiBKx7gawZX
vsUfiuPzUoDflNu/wrH6u9xOYKLGpjQsX5+Xk/zfRv1vmpB3RDluaOxwZ4CQdpaa
+m0wlONkw8e4nDokm5VTGnSUeH79q8NUAS9000fw5piu4U2ZtHCj3kvEr9Ia+Caf
D94K22h1DNz0E9wUCB/jpQ9PSzUxnSL2u8ow/xhNIoc/M4ziTF8ixP8eAV2UlBOb
TJWfnzukj5w324hxYd1K/PVQLWGLnWk27x3diEMqoEd0zj0TZBq5B6f0+X38/eND
ptHVAwpMFIqkepP0JkjstOwv4f33Jg4BYQKCAQEA48Ck5QPi9703Y6Z+Dz0v2ab8
/TYDAS7Q7+xJysxbEysbZY4vcqiHN9FQvjaAHdyEUkwF5WX8CW11bQ78q77oc8yc
rVoCuZWaF9fiAV0USqxL3V36SgiMN1AiX3Za0lbpLZyDMmPvdFt+jiEbW5vY/4p7
/Nz4M7oBm8hp+S6ZYoqd9xF/GGP97O1Di1/JebL8sWRAQKAr5kCcuIGiGMaNF9ie
xYDJUP8kUFke1wXP20TPU9niIMKTF9WGWh0XZ8ZiRIQ3kB6CqBUpsZ69Tr2CoY+V
/SKpMpZT4Gb0pfoFSue0HX2VyvV7FwnVPi6Jp1Poz31yQ9xaplOaR7obq3I1uA==
-----END RSA PRIVATE KEY-----
User matching
The SSO plugins will attempt to match a user from the SSO provider to a local account by email address. For OIDC, the email address should be present in the ID token returned by the SSO provider. The email claim is generally accessed by supplying the email scope in the scope list. For SAML, provide a value for the Email Attribute ID that returns the user's email address from the list of SAML attributes.
When a user is not found with a matching email address, login to the LRS will fail, even after successful SSO authentication. You can check the "Create Users" checkbox to have a user created automatically to match the information from the SSO provider.
Users created automatically from and SSO provider can ONLY log in via that provider. They cannot log in with a regular email address and password, even if you configure a password for them. You can modify this behavior by changing the user "source" property to "local" in your database.
Intersection with user controls
Some user management controls intersect with the SSO provider logins. The inactiveAccountDisable setting will still apply as normal to the user. Users that are disabled or locked may successfully authenticate with the SSO provider, but cannot log into the LRS. For users that have both a local login and an SSO integration, logging in via SSO will reset the incorrect login counter. It will also clear any password reset key, as would a regular successful login. If a user has local 2FA enabled, on SSO authentication, the user will be redirected to the LRS 2FA page.
When using SSO, it is best to use 2FA at the SSO provider level, rather than the LRS level.