Single Sign On (SSO) Integration
Veracity can integrate with your single sign on provider using OpenID Connect or Security Assertion Markup Language (SAML). This integration allows your enterprise users to log into the LRS user interface without providing a password. Integrating a single sign on provider does not automatically disable local accounts.
SSO integration is an Enterprise feature.
For SaaS customers, Veracity will manage your SSO integrations. Contact support to schedule your SSO configuration.
Installing and Configuring SSO
- Both OpenID Connect and SAML integrations are system level plugins and must be enabled in the plugin admin area. Go to All Administration Tools and click Manage Plugins.
- Click the Activate a Plugin button.
- In either an OpenID Connect or SAML plugin, click the Activate button.
- You will be presented with a configuration dialog. Below is a description of the configuration prompts:
OpenID Connect Configuration Values
- Display Name — A name for the plugin. Users will see this name on the login page.
- Active — Whether the plugin is activated. Setting this to false will disable the plugin without forgetting its settings.
- Override Auth — Use this plugin to replace the normal login flow. Rather than being presented the login page, users will automatically be redirected to the SSO provider. This setting may make it impossible to access the system, if the SSO configuration is incorrect! In this case, you'll need to restart the server with the flag --disablePlugins=true.
- Client ID — This value will be provided by your SSO vendor.
- Client Secret — This value will be provided by your SSO vendor.
- Issuer — This value will be provided by your SSO vendor.
- Scope — This value will be provided by your SSO vendor. Generally, you'll include both email and openid.
- Response Type [code, ID Token, Token] — This value will be provided by your SSO vendor.
- Redirect Override URI — Override the callback URI supplied by the server to the SSO provider. This is only necessary in configurations where the LRS is behind a proxy and cannot properly construct its own callback URI.
- Login Success Redirect — The page to redirect the user to on successful authentication.
- Create Users — Whether a new user should be created in the LRS for successful logins that do not currently have LRS accounts.
SAML Configuration Values
The SAML plugin is not bundled into the software build. Contact Veracity for a copy of the plugin code.
- Display Name — A name for the plugin. Users will see this name on the login page
- Active — Whether the plugin is activated. Setting this to false will disable the plugin without forgetting its settings.
- Issuer — This value will be provided by your SSO vendor.
- Entry Point — This value will be provided by your SSO vendor.
- Certificate — This value will be provided by your SSO vendor.
- Username Attribute ID — This is the ID of the SAML attribute that should be mapped to the user's username.
- Email Attribute ID — This is the ID of the SAML attribute that should be mapped to the users email address.
- Signature Algorithm — This value will be provided by your SSO vendor.
- identifierFormat (Name ID Policy) — This value will be provided by your SSO vendor.
- metadataSignatureCert — This value should be the public key certificate that matches with the private key supplied in the privateKey setting.
- privateKey — An RSA private key. This should be the private key paired with the public certificate in metadataSignatureCert.
- Want Assertions Signed.
- Create Users — Whether a new user should be created in the LRS for successful logins that do not currently have LRS accounts.
Example SAML Certificates
The certificates below illustrate the expected formats for the various certificate settings. Don't use these exact certificates, they are for reference only! Generate new ones using OpenSSL.
Example metadataSignatureCert -----BEGIN CERTIFICATE-----
MIIF2zCCA8OgAwIBAgIUE7eOoztHY7Gs6HakivGc4gepXfMwD
QYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBA
gMAk1EMRIwEAYDVQQHDAlSb2NrdmlsbGUxDDAKBgNVBAoMA1Z
UQzEfMB0GA1UEAwwWYmV0YS5lbnRlcnByaXNlLmxycy5pbzEe
MBwGCSqGSIb3DQEJARYPcm9iQHZlcmFjaXR5Lml0MB4XDTIzM
TIwODE5NTQzMloXDTI0MTIwNzE5NTQzMlowfTELMAkGA1UEBh
MCVVMxCzAJBgNVBAgMAk1EMRIwEAYDVQQHDAlSb2NrdmlsbGU
xDDAKBgNVBAoMA1ZUQzEfMB0GA1UEAwwWYmV0YS5lbnRlcnBy
aXNlLmxycy5pbzEeMBwGCSqGSIb3DQEJARYPcm9iQHZlcmFja
XR5Lml0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAg
EA1rxs4q/UFwhzQX2La6wJmT0xsauubWbjV+gK6opS0h1Si47
YeEJ0JrXOCtoU/+SHNTQqZrszqIWhWcn9uBi7ILGhx5sAQmL1
Sfi/rRg4Qpk8tyE2lEr2MW3I31u+q6noWEfeGvd0a8laVEcuY
pwoEtUwZ6yPjDc0Jv8CP5Q6kh/eCkjRISPuv7o55uxzLg22E+
JclMxG5ZG+SmGHhbWm91rnpiegx8wP7arO/WtE22+cgXk6Z1B
Tp0Q88ID0/xLXX7wWb0WMGCLI3Mm3ZPmWl9OX2VLXKUxYmwlU
/27OEFxkO/pbhr/qgnjyRrlsA6PU8pKLd8g5Qn4MzZIKK4Kfz
0tvqvL2xZLAv7bGNC6iY+JCrh05mm3OltgPyWfrDNiEGXfkqb
cburOpUq8/Frqvoy7qv0B/GQ3NHjaRi2ewXzWkg0MromRnRLX
vV5JeY43rWzmraiXnANlX5GV225KzNoak2r8B76GKjoGySwuD
BLfscHy4riZCaYA0HJQySJheurgJrg5O/SBD4/vmofIsvcfhj
NSlyJQbBrm7OJFwTk4MFwhRptiCo++GDaucq37oZj+eS0aZfs
ihOH+cKLz9TlHhLSWSjuqA3N7z66oAF3BH36oB17O8QbhAlS2
MMLftE0FJKG/GUnABAuEprm2cYKC2P75dchFvK9ljrEPX8SEC
AwEAAaNTMFEwHQYDVR0OBBYEFGE/wXs5kHWrhPgoGw6gXT11E
wR2MB8GA1UdIwQYMBaAFGE/wXs5kHWrhPgoGw6gXT11EwR2MA
8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGR
md0+tQ9njwDFtlIIdg1rqh0NRAMYI/y1WYWYYUl3Lg4vj3LjS
lF4wggUTt6Sv6p8cbqrTnHdeXfq8ZXscNr0sLYvVDjyYXkeTE
Zdk1XvktwmWDBITXb+SJdXdMJeoKwoiAaQp0VD473dze0azRz
lmxcnQkCKuLo+vtKodnGCNrj99sFKIjVkJcgn+d24TSVM9m38
rnID3zUWFOeUpVLT48zW6NFkd8AsXvYASeLjhFZRYCHwncRwu
45xaveY7hfu5h5V5d90qTugbauopWeix8LaYD2iMHgCAl8ZqA
adzWjMwyNDeHMHApYZgBVvqdEBMUvVggFREFTjw6ab2TMRIfY
t7LfeZwN5fWf2etwsqOwtDWnKYMjKAwmNyQ1duQs/XMaw6OK0
kMwyn0GGMx8DaS/k5jyj4iIMOeiFiioEdhCSOrHXVusEg2YYh
v1VDpU+e3GFaYMFJk37rHvcBthE6stl8VYjGG2RYnLE9B6cqA
y+tyaPE3pQdoeUX7OFltwgX9quvbEx8Re/XhqGd7mdheF3plp
hF5POaXJM90ec4tWUAnQZNWzRYdSlpc5EDrCt8TqVeBsyC5Gs
aUGVGQp9ropOP+yYVByboV4wfqxRn0CMbMtDs/tzh5iqbdxw8
29F0O30PyhZ4K2wMHNadOHy7rCy1jmdwpKdM4dhYIYAz
-----END CERTIFICATE----- | Example privateKey -----BEGIN RSA PRIVATE KEY-----
MIIJKgIBAAKCAgEA1rxs4q/UFwhzQX2La6wJmT0xsauubWbjV
+gK6opS0h1Si47YeEJ0JrXOCtoU/+SHNTQqZrszqIWhWcn9uB
i7ILGhx5sAQmL1Sfi/rRg4Qpk8tyE2lEr2MW3I31u+q6noWEf
eGvd0a8laVEcuYpwoEtUwZ6yPjDc0Jv8CP5Q6kh/eCkjRISPu
v7o55uxzLg22E+JclMxG5ZG+SmGHhbWm91rnpiegx8wP7arO/
WtE22+cgXk6Z1BTp0Q88ID0/xLXX7wWb0WMGCLI3Mm3ZPmWl9
OX2VLXKUxYmwlU/27OEFxkO/pbhr/qgnjyRrlsA6PU8pKLd8g
5Qn4MzZIKK4Kfz0tvqvL2xZLAv7bGNC6iY+JCrh05mm3OltgP
yWfrDNiEGXfkqbcburOpUq8/Frqvoy7qv0B/GQ3NHjaRi2ewX
zWkg0MromRnRLXvV5JeY43rWzmraiXnANlX5GV225KzNoak2r
8B76GKjoGySwuDBLfscHy4riZCaYA0HJQySJheurgJrg5O/SB
D4/vmofIsvcfhjNSlyJQbBrm7OJFwTk4MFwhRptiCo++GDauc
q37oZj+eS0aZfsihOH+cKLz9TlHhLSWSjuqA3N7z66oAF3BH3
6oB17O8QbhAlS2MMLftE0FJKG/GUnABAuEprm2cYKC2P75dch
FvK9ljrEPX8SECAwEAAQKCAgEAz6HoQxSypgbUswl6qwTxTwu
9pkcT5NLslo5XJ8vSIzqZGzpnE3lmKBv4+8M9NOU623XyXd07
KQL1LgXC36SCJC29+Wxlxss61GjCpdNaawMSkxx5UtBc1xSJe
3eRmRk0AVCUcUy+dI6AWidtsYm+sd8T69sN/g1OzzoaaXGhZL
ONljIsjLfa3eZqoGAXSvuVCAsDbBlNoCLZdcByMxafOGPcw2t
j6mzlJfDYLm/vZ6K3GPYoQ8eG66BusDpxKsaEHByZMMR1nszb
nakqPGeddnbxSADy7QrWTiqq1kXE2EsN3HTK1TNyxO+/jCU0T
Ry4BkkutAaVXzbUmF1Smhm2/QrtLiTArMsxo2P6/96R887ILy
VM1OcFvxhN2QyJLCy9y/KS36xMAB6gsarJDZVD61InUYZCbrv
GNeQqfXUju5DsUFkoi/xFObpAXaIErlV9PG1jrbCLavkWTzyl
WzTzRI5zKTAThoN4yV7EEfy/bt5XthB0YdSf8qZfXDmYXIGEX
zHZQN45Ed16uc8vBD0SuDE2k9aNapLB4zW8Qo1Zw2BfugcTHv
KP2xXRCV0Xy/31IgZ4lQXRX25VZBedkRSHl/Hq7nNV+okSruF
FAGr9ut5Pxw2i8AEECp65WT2mzbs2jzh9ZXBq/1638Q9Ko/Xu
041N2BS1+Ex2sDF9+mJFITECggEBAPRVTT3UhCHia4XnxAMVF
VWWJ/u/0ATxON1XieOuLoPBrn9zZcpd84jBfsOIxqY9qjlIP2
j1O2dAi8zOPSuJnXxSq1spHoErkUpvrVEzjWmd8vMZbPkNsgK
3lRgNqlleyDo0aTdiIj2OfLy6exjp2RGgYUfaw737KgarQHHt
wJ+owj0uRoYZiGm00t1c5YeUuD2/W3G0nYhKxXQ3v/71CH8xQ
JkPkmoWjctcVyhHszzsjUfUdNQn9nY6va1V5ESGjhiBEdRaf8
ck63ZOPuj34VNmacIgbErs23JFTB9l+O7wjZgmygbgSBq36sd
5tfsOMyF9IG5pvZLbJfW2ryt3zcUCggEBAOD9VN1Y1ee6AzGf
bfZKpOG6gY9McmDWyB4c5zEzw40o3Xtk7kR+7saNi2RJO1u40
Q7M4e5ETMsmc04PbPSQmPF2Mlw3SXK8Nj91ysxB5gFqh+KC5l
6UJ/YH3IbmOssGPOaTeGNx1bFC54jn9PtEHxtZTeqHNB44lhd
pP/ZYI9tgy8c+kC3NPGt/FYoK64QyzXiW6l+zerwx1UnUiofj
SIOf7FTPCqDBWDCUtQWUVYresTB2/KJKJa66MQBlAfyXhSKwL
9B0q1Jguvr3XIf2/4vx9S/h6fQH1Vdjq7IgNYn0r+etKVbZ1T
XlEJbf9nEAO3dW/swqF99dUSea03nTh60CggEAeX9VepKL5gG
ecCbQzKuWQUn6tfAq89oz6bUXB1XdIX2VVSFAE8JmULHPZFJG
XfI6DGQFzB5uHKj3G6/OsTCsVF8TgLBQz/CnPfmMmN1my4dUg
Vg6XRpXU4yQojZhaDF+pZrcW0L8Pdn14y9j+P6IB4DV/xIk1f
roagqMcFrGt14GwL+bKCHYOKBHXvZL2QC2IVZflYo378cmquT
yH0kfoYgPVE1vBDwU5HQVjx0gXwJOOtLGCZ2ZrC8HlQMqEH1M
eZjtEciy04djYyADnnts27kIjBTtZNClSwx0jwR5JfAOqQNY4
NR0ZnzgTbMTMDVebZ+4Gc+RCk7ZcHcYYigf9QKCAQEAuXcbZf
u9GPB1gYpzEvwlPw6HjqDuCHYFMQ2SZzTMlqiBKx7gawZXvsU
fiuPzUoDflNu/wrH6u9xOYKLGpjQsX5+Xk/zfRv1vmpB3RDlu
aOxwZ4CQdpaa+m0wlONkw8e4nDokm5VTGnSUeH79q8NUAS900
0fw5piu4U2ZtHCj3kvEr9Ia+CafD94K22h1DNz0E9wUCB/jpQ
9PSzUxnSL2u8ow/xhNIoc/M4ziTF8ixP8eAV2UlBObTJWfnzu
kj5w324hxYd1K/PVQLWGLnWk27x3diEMqoEd0zj0TZBq5B6f0
+X38/eNDptHVAwpMFIqkepP0JkjstOwv4f33Jg4BYQKCAQEA4
8Ck5QPi9703Y6Z+Dz0v2ab8/TYDAS7Q7+xJysxbEysbZY4vcq
iHN9FQvjaAHdyEUkwF5WX8CW11bQ78q77oc8ycrVoCuZWaF9f
iAV0USqxL3V36SgiMN1AiX3Za0lbpLZyDMmPvdFt+jiEbW5vY
/4p7/Nz4M7oBm8hp+S6ZYoqd9xF/GGP97O1Di1/JebL8sWRAQ
KAr5kCcuIGiGMaNF9iexYDJUP8kUFke1wXP20TPU9niIMKTF9
WGWh0XZ8ZiRIQ3kB6CqBUpsZ69Tr2CoY+V/SKpMpZT4Gb0pfo
FSue0HX2VyvV7FwnVPi6Jp1Poz31yQ9xaplOaR7obq3I1uA==
-----END RSA PRIVATE KEY----- |
User Matching
The SSO plugins will attempt to match a user from the SSO provider to a local account by email address. For OpenID Connect, the email address should be present in the ID token returned by the SSO provider. The email claim is generally accessed by supplying the email scope in the scope list. For SAML, provide a value for the Email Attribute ID that returns the user's email address from the list of SAML attributes.
When a user is not found with a matching email address, login to the LRS will fail, even after successful SSO authentication. You can check the Create Users checkbox to have a user created automatically to match the information from the SSO provider.
Users created automatically from an SSO provider can only log in via that provider. They cannot log in with a regular email address and password, even if you configure a password for them. You can modify this behavior by changing the user source property to local in your database.
Intersection with User Controls
Some user management controls intersect with the SSO provider logins. The inactiveAccountDisable setting will still apply as normal to the user. Users that are disabled or locked may successfully authenticate with the SSO provider but cannot log into the LRS. For users that have both a local login and an SSO integration, logging in via SSO will reset the incorrect login counter. It will also clear any password reset key, as would a regular successful login. If a user has local two factor authentication enabled, then on SSO authentication, the user will be redirected to the LRS two factor authentication page.
When using SSO, it is best to use two factor authentication at the SSO provider level, rather than the LRS level.
Related Articles
LMS Integration
The Veracity Learning offers seamless integration with your LMS to allow instructors and students to access the services of the LRS without leaving their LMS environment. This is accomplished via LTI (Learning Tools Interoperability), a standard from ...SQL Integration
SQL Integration is an Enterprise only feature Veracity LRS can synchronize your xAPI statements into an SQL database in real time. The LRS will open a connection to your SQL server, and flush out statements every 300 milliseconds. Statements are not ...Elasticsearch Integration
Overview The LRS can accelerate its dashboard and statement viewer by leveraging Elasticsearch in addition to MongoDB. When configured with the optional Elasticsearch connection, the LRS will synchronize xAPI statements in real time between these two ...Power BI Integration
Integration with Power BI Integration is accomplished by pulling a saved statement viewer report into PowerBI. Before you can do this, you'll need an API key. Navigate to "All Mangement Tools" then find "Security" Click "API Keys" Click "Create New ...Tableau Integration
Veracity LRS supports Tableau via a Web Data Connector. This connector allows you to import your saved statement reports into Tableau for analysis. This tool can only pull saved statement viewer reports. If you have none, first create any report in ...