Single Sign On (SSO) Integration
Veracity can integrate with your single sign on provider using OpenID Connect or Security Assertion Markup Language (SAML). This integration allows your enterprise users to log into the LRS user interface without providing a password. Integrating a single sign on provider does not automatically disable local accounts.
SSO integration is an Enterprise feature.
For SaaS customers, Veracity will manage your SSO integrations. Contact support to schedule your SSO configuration.
Installing and Configuring SSO
Both SAML and OIDC integrations are system level plugins, and must be enabled in the plugin admin area.
Choose "Activate a Plugin"
Find OpenID Connect or SAML. Click Activate.
You will be presented with a configuration dialog. Below is a description of the configuration prompts.
OIDC configuration values
- Display Name - a name for the plugin. Users will see this name on the login page
- Active - whether or not the plugin is activated. Setting this to false will disable the plugin without forgetting its settings.
- Override Auth - Use this plugin to replace the normal login flow. Rather than being presented the login page, users will automatically be redirected to the SSO provider. This setting may make it impossible to access the system, if the SSO configuration is incorrect! In this case, you'll need to restart the server with the flag --disablePlugins=true.
- Client ID - this value will be provided by your SSO vendor
- Client Secret - this value will be provided by your SSO vendor
- Issuer - this value will be provided by your SSO vendor
- Scope - this value will be provided by your SSO vendor. Generally, you'll include both "email" and "openid"
- Response Type [code, ID Token, Token] - this value will be provided by your SSO vendor
- Redirect Override URI - override the callback URI supplied by the server to the SSO provider. This is only necessary in configurations where the LRS is behind a proxy and cannot properly construct it's own callback URI.
- Login Success Redirect - The page to redirect the user to on successful authentication
- Create Users - whether a new user should be created in the LRS for successful logins that do not currently have LRS accounts.
SAML configuration values
The SAML plugin is not bundled into the software build. Contact Veracity for a copy of the plugin code.
- Display Name - a name for the plugin. Users will see this name on the login page
- Active - whether or not the plugin is activated. Setting this to false will disable the plugin without forgetting its settings.
- Issuer - this value will be provided by your SSO vendor
- Entry Point - this value will be provided by your SSO vendor
- Certificate - this value will be provided by your SSO vendor
- Username Attribute ID - This is the ID of the SAML attribute that should be mapped to the users username
- Email Attribute ID - This is the ID of the SAML attribute that should be mapped to the users email address
- Signature Algorithm - this value will be provided by your SSO vendor
- identifierFormat (Name ID Policy) - this value will be provided by your SSO vendor
- metadataSignatureCert - This value should be the public key certificate that matches with the private key supplied in the privateKey setting
- privateKey - an RSA private key. This should be the private key paired with the public certificate in metadataSignatureCert
- Want Assertions Signed
- Create Users - whether a new user should be created in the LRS for successful logins that do not currently have LRS accounts.
Example Certificates
The certificates below illustrate the expected formats for the various certificate settings. Don't use these exact certificates, they are for reference only! Generate new ones using OpenSSL.
metadataSignatureCert
-----BEGIN CERTIFICATE-----MIIF2zCCA8OgAwIBAgIUE7eOoztHY7Gs6HakivGc4gepXfMwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1EMRIwEAYDVQQHDAlSb2NrdmlsbGUxDDAKBgNVBAoMA1ZUQzEfMB0GA1UEAwwWYmV0YS5lbnRlcnByaXNlLmxycy5pbzEeMBwGCSqGSIb3DQEJARYPcm9iQHZlcmFjaXR5Lml0MB4XDTIzMTIwODE5NTQzMloXDTI0MTIwNzE5NTQzMlowfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1EMRIwEAYDVQQHDAlSb2NrdmlsbGUxDDAKBgNVBAoMA1ZUQzEfMB0GA1UEAwwWYmV0YS5lbnRlcnByaXNlLmxycy5pbzEeMBwGCSqGSIb3DQEJARYPcm9iQHZlcmFjaXR5Lml0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1rxs4q/UFwhzQX2La6wJmT0xsauubWbjV+gK6opS0h1Si47YeEJ0JrXOCtoU/+SHNTQqZrszqIWhWcn9uBi7ILGhx5sAQmL1Sfi/rRg4Qpk8tyE2lEr2MW3I31u+q6noWEfeGvd0a8laVEcuYpwoEtUwZ6yPjDc0Jv8CP5Q6kh/eCkjRISPuv7o55uxzLg22E+JclMxG5ZG+SmGHhbWm91rnpiegx8wP7arO/WtE22+cgXk6Z1BTp0Q88ID0/xLXX7wWb0WMGCLI3Mm3ZPmWl9OX2VLXKUxYmwlU/27OEFxkO/pbhr/qgnjyRrlsA6PU8pKLd8g5Qn4MzZIKK4Kfz0tvqvL2xZLAv7bGNC6iY+JCrh05mm3OltgPyWfrDNiEGXfkqbcburOpUq8/Frqvoy7qv0B/GQ3NHjaRi2ewXzWkg0MromRnRLXvV5JeY43rWzmraiXnANlX5GV225KzNoak2r8B76GKjoGySwuDBLfscHy4riZCaYA0HJQySJheurgJrg5O/SBD4/vmofIsvcfhjNSlyJQbBrm7OJFwTk4MFwhRptiCo++GDaucq37oZj+eS0aZfsihOH+cKLz9TlHhLSWSjuqA3N7z66oAF3BH36oB17O8QbhAlS2MMLftE0FJKG/GUnABAuEprm2cYKC2P75dchFvK9ljrEPX8SECAwEAAaNTMFEwHQYDVR0OBBYEFGE/wXs5kHWrhPgoGw6gXT11EwR2MB8GA1UdIwQYMBaAFGE/wXs5kHWrhPgoGw6gXT11EwR2MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGRmd0+tQ9njwDFtlIIdg1rqh0NRAMYI/y1WYWYYUl3Lg4vj3LjSlF4wggUTt6Sv6p8cbqrTnHdeXfq8ZXscNr0sLYvVDjyYXkeTEZdk1XvktwmWDBITXb+SJdXdMJeoKwoiAaQp0VD473dze0azRzlmxcnQkCKuLo+vtKodnGCNrj99sFKIjVkJcgn+d24TSVM9m38rnID3zUWFOeUpVLT48zW6NFkd8AsXvYASeLjhFZRYCHwncRwu45xaveY7hfu5h5V5d90qTugbauopWeix8LaYD2iMHgCAl8ZqAadzWjMwyNDeHMHApYZgBVvqdEBMUvVggFREFTjw6ab2TMRIfYt7LfeZwN5fWf2etwsqOwtDWnKYMjKAwmNyQ1duQs/XMaw6OK0kMwyn0GGMx8DaS/k5jyj4iIMOeiFiioEdhCSOrHXVusEg2YYhv1VDpU+e3GFaYMFJk37rHvcBthE6stl8VYjGG2RYnLE9B6cqAy+tyaPE3pQdoeUX7OFltwgX9quvbEx8Re/XhqGd7mdheF3plphF5POaXJM90ec4tWUAnQZNWzRYdSlpc5EDrCt8TqVeBsyC5GsaUGVGQp9ropOP+yYVByboV4wfqxRn0CMbMtDs/tzh5iqbdxw829F0O30PyhZ4K2wMHNadOHy7rCy1jmdwpKdM4dhYIYAz-----END CERTIFICATE-----
privateKey
-----BEGIN RSA PRIVATE KEY-----MIIJKgIBAAKCAgEA1rxs4q/UFwhzQX2La6wJmT0xsauubWbjV+gK6opS0h1Si47YeEJ0JrXOCtoU/+SHNTQqZrszqIWhWcn9uBi7ILGhx5sAQmL1Sfi/rRg4Qpk8tyE2lEr2MW3I31u+q6noWEfeGvd0a8laVEcuYpwoEtUwZ6yPjDc0Jv8CP5Q6kh/eCkjRISPuv7o55uxzLg22E+JclMxG5ZG+SmGHhbWm91rnpiegx8wP7arO/WtE22+cgXk6Z1BTp0Q88ID0/xLXX7wWb0WMGCLI3Mm3ZPmWl9OX2VLXKUxYmwlU/27OEFxkO/pbhr/qgnjyRrlsA6PU8pKLd8g5Qn4MzZIKK4Kfz0tvqvL2xZLAv7bGNC6iY+JCrh05mm3OltgPyWfrDNiEGXfkqbcburOpUq8/Frqvoy7qv0B/GQ3NHjaRi2ewXzWkg0MromRnRLXvV5JeY43rWzmraiXnANlX5GV225KzNoak2r8B76GKjoGySwuDBLfscHy4riZCaYA0HJQySJheurgJrg5O/SBD4/vmofIsvcfhjNSlyJQbBrm7OJFwTk4MFwhRptiCo++GDaucq37oZj+eS0aZfsihOH+cKLz9TlHhLSWSjuqA3N7z66oAF3BH36oB17O8QbhAlS2MMLftE0FJKG/GUnABAuEprm2cYKC2P75dchFvK9ljrEPX8SECAwEAAQKCAgEAz6HoQxSypgbUswl6qwTxTwu9pkcT5NLslo5XJ8vSIzqZGzpnE3lmKBv4+8M9NOU623XyXd07KQL1LgXC36SCJC29+Wxlxss61GjCpdNaawMSkxx5UtBc1xSJe3eRmRk0AVCUcUy+dI6AWidtsYm+sd8T69sN/g1OzzoaaXGhZLONljIsjLfa3eZqoGAXSvuVCAsDbBlNoCLZdcByMxafOGPcw2tj6mzlJfDYLm/vZ6K3GPYoQ8eG66BusDpxKsaEHByZMMR1nszbnakqPGeddnbxSADy7QrWTiqq1kXE2EsN3HTK1TNyxO+/jCU0TRy4BkkutAaVXzbUmF1Smhm2/QrtLiTArMsxo2P6/96R887ILyVM1OcFvxhN2QyJLCy9y/KS36xMAB6gsarJDZVD61InUYZCbrvGNeQqfXUju5DsUFkoi/xFObpAXaIErlV9PG1jrbCLavkWTzylWzTzRI5zKTAThoN4yV7EEfy/bt5XthB0YdSf8qZfXDmYXIGEXzHZQN45Ed16uc8vBD0SuDE2k9aNapLB4zW8Qo1Zw2BfugcTHvKP2xXRCV0Xy/31IgZ4lQXRX25VZBedkRSHl/Hq7nNV+okSruFFAGr9ut5Pxw2i8AEECp65WT2mzbs2jzh9ZXBq/1638Q9Ko/Xu041N2BS1+Ex2sDF9+mJFITECggEBAPRVTT3UhCHia4XnxAMVFVWWJ/u/0ATxON1XieOuLoPBrn9zZcpd84jBfsOIxqY9qjlIP2j1O2dAi8zOPSuJnXxSq1spHoErkUpvrVEzjWmd8vMZbPkNsgK3lRgNqlleyDo0aTdiIj2OfLy6exjp2RGgYUfaw737KgarQHHtwJ+owj0uRoYZiGm00t1c5YeUuD2/W3G0nYhKxXQ3v/71CH8xQJkPkmoWjctcVyhHszzsjUfUdNQn9nY6va1V5ESGjhiBEdRaf8ck63ZOPuj34VNmacIgbErs23JFTB9l+O7wjZgmygbgSBq36sd5tfsOMyF9IG5pvZLbJfW2ryt3zcUCggEBAOD9VN1Y1ee6AzGfbfZKpOG6gY9McmDWyB4c5zEzw40o3Xtk7kR+7saNi2RJO1u40Q7M4e5ETMsmc04PbPSQmPF2Mlw3SXK8Nj91ysxB5gFqh+KC5l6UJ/YH3IbmOssGPOaTeGNx1bFC54jn9PtEHxtZTeqHNB44lhdpP/ZYI9tgy8c+kC3NPGt/FYoK64QyzXiW6l+zerwx1UnUiofjSIOf7FTPCqDBWDCUtQWUVYresTB2/KJKJa66MQBlAfyXhSKwL9B0q1Jguvr3XIf2/4vx9S/h6fQH1Vdjq7IgNYn0r+etKVbZ1TXlEJbf9nEAO3dW/swqF99dUSea03nTh60CggEAeX9VepKL5gGecCbQzKuWQUn6tfAq89oz6bUXB1XdIX2VVSFAE8JmULHPZFJGXfI6DGQFzB5uHKj3G6/OsTCsVF8TgLBQz/CnPfmMmN1my4dUgVg6XRpXU4yQojZhaDF+pZrcW0L8Pdn14y9j+P6IB4DV/xIk1froagqMcFrGt14GwL+bKCHYOKBHXvZL2QC2IVZflYo378cmquTyH0kfoYgPVE1vBDwU5HQVjx0gXwJOOtLGCZ2ZrC8HlQMqEH1MeZjtEciy04djYyADnnts27kIjBTtZNClSwx0jwR5JfAOqQNY4NR0ZnzgTbMTMDVebZ+4Gc+RCk7ZcHcYYigf9QKCAQEAuXcbZfu9GPB1gYpzEvwlPw6HjqDuCHYFMQ2SZzTMlqiBKx7gawZXvsUfiuPzUoDflNu/wrH6u9xOYKLGpjQsX5+Xk/zfRv1vmpB3RDluaOxwZ4CQdpaa+m0wlONkw8e4nDokm5VTGnSUeH79q8NUAS9000fw5piu4U2ZtHCj3kvEr9Ia+CafD94K22h1DNz0E9wUCB/jpQ9PSzUxnSL2u8ow/xhNIoc/M4ziTF8ixP8eAV2UlBObTJWfnzukj5w324hxYd1K/PVQLWGLnWk27x3diEMqoEd0zj0TZBq5B6f0+X38/eNDptHVAwpMFIqkepP0JkjstOwv4f33Jg4BYQKCAQEA48Ck5QPi9703Y6Z+Dz0v2ab8/TYDAS7Q7+xJysxbEysbZY4vcqiHN9FQvjaAHdyEUkwF5WX8CW11bQ78q77oc8ycrVoCuZWaF9fiAV0USqxL3V36SgiMN1AiX3Za0lbpLZyDMmPvdFt+jiEbW5vY/4p7/Nz4M7oBm8hp+S6ZYoqd9xF/GGP97O1Di1/JebL8sWRAQKAr5kCcuIGiGMaNF9iexYDJUP8kUFke1wXP20TPU9niIMKTF9WGWh0XZ8ZiRIQ3kB6CqBUpsZ69Tr2CoY+V/SKpMpZT4Gb0pfoFSue0HX2VyvV7FwnVPi6Jp1Poz31yQ9xaplOaR7obq3I1uA==-----END RSA PRIVATE KEY-----
User matching
The SSO plugins will attempt to match a user from the SSO provider to a local account by email address. For OIDC, the email address should be present in the ID token returned by the SSO provider. The email claim is generally accessed by supplying the email scope in the scope list. For SAML, provide a value for the Email Attribute ID that returns the user's email address from the list of SAML attributes.
When a user is not found with a matching email address, login to the LRS will fail, even after successful SSO authentication. You can check the "Create Users" checkbox to have a user created automatically to match the information from the SSO provider.
Users created automatically from and SSO provider can ONLY log in via that provider. They cannot log in with a regular email address and password, even if you configure a password for them. You can modify this behavior by changing the user "source" property to "local" in your database.
Intersection with user controls
Some user management controls intersect with the SSO provider logins. The inactiveAccountDisable setting will still apply as normal to the user. Users that are disabled or locked may successfully authenticate with the SSO provider, but cannot log into the LRS. For users that have both a local login and an SSO integration, logging in via SSO will reset the incorrect login counter. It will also clear any password reset key, as would a regular successful login. If a user has local 2FA enabled, on SSO authentication, the user will be redirected to the LRS 2FA page.
When using SSO, it is best to use 2FA at the SSO provider level, rather than the LRS level.
Related Articles
LMS Integration
The Veracity Learning offers seamless integration with your LMS to allow instructors and students to access the services of the LRS without leaving their LMS environment. This is accomplished via LTI (Learning Tools Interoperability), a standard from ...SQL Integration
SQL Integration is an Enterprise only feature Veracity LRS can synchronize your xAPI statements into an SQL database in real time. The LRS will open a connection to your SQL server, and flush out statements every 300 milliseconds. Statements are not ...Elasticsearch Integration
Overview The LRS can accelerate its dashboard and statement viewer by leveraging Elasticsearch in addition to MongoDB. When configured with the optional Elasticsearch connection, the LRS will synchronize xAPI statements in real time between these two ...Versions of Veracity Learning
Veracity Learning LRS comes in a few versions. The main version, and the one you're most likely looking at right now, is LRS.io. LRS.io This is our cloud hosted SaaS service, where anyone can create an LRS. You can use the free version, which is ...Configuration
Setting Configuration Values It's typical to use the .env file to store configuration settings. These settings only apply to on site installations. When using a hosted SaaS plan, Veracity will manage the settings for your deployment. Contact support ...