Guides

SAML

Suggest Edits

Configure SAML Single Sign-On for Lepaya

📘

Please be aware that configuring Single Sign-On (SSO) is a technical procedure. We strongly advise involving your IT team for assistance with the setup.

There are four steps to configure:

  1. You send us your data.
  2. We configure things on our side and send you our metadata.
  3. You import the metadata into your Identity Provider and test a login.

Let's jump into it.

1. You send us your data

In order to setup SAML SSO for the Lepaya Learning Platform, we need you to provide the following SAML identity provider information to your Onboarding & Implementation Manager:

  1. Sign In URL - We need this information to know to which URL to send all SAML authentication requests.
  2. X509 Signing Certificate - We need this file (public-key certificate) so that our SSO service provider can validate the signature of the authentication assertions that have been digitally signed by your SAML identity provider. Accepted files: .pem and .cer formats.
  3. (Optional)Sign Out URL - When empty this field defaults to the Sign In URL.
  4. (Optional)Sign Request Algorithm - This is an optional parameter and we require this parameter only if your Identity provider uses some special sign algorithm other than RSA-SHA256
  5. Domain(s) to identify your emails with - this is especially important if you have multiple domains! E.g.: lepaya.com, lepaya.nl.
  6. SAML Attribute Mapping: Specific attributes that will be included in the SAML assertions.

Attribute Mapping

We require certain attributes to be passed in the SAML assertion to properly identify and manage users. Please specify which attributes in your IdP should map to the attributes in our SP.

📘

Please note that the email attribute is crucial. We use the default attribute to identify the user e-mail address. In case you use a different one, please send the attribute name, otherwise the integration will not work.

Here is an example:

{
 "user_id": [
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
 ],
 "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
 "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
 "given_name": [
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
 ],
 "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
 "groups": "http://schemas.xmlsoap.org/claims/Group"
}

Please send all this information using this secure method: https://developer.lepaya.com/docs/how-to-share-sensitive-information-with-us.

2. We configure things on our side and send you our metadata.

Now it's our turn: we'll configure everything on our side and let you know everything is set.

3. You configure

After receiving our metadata file, import it and test a login.

Troubleshooting

A user can't log in

  1. The user that's trying is authorized to use the application on your IdP.
  2. The user has the email domain you sent us.
    1. For instance, if you sent us @company.com and the user is trying to log in with @company.io, you need to send us the other domains we should allow
  3. If you checked everything on your side, please go through step 1 from the previous section: send us a new certificate and check the other info.

I can't find the problem, can you help me?

Sure! If you already tried going through the debugging options here, feel free to send us an email. Please send us the user email and the timestamp they tried to log in.

Updated 11 months ago