What is SSO via SAML 2.0?

Single Sign-On (SSO) via SAML 2.0 is an authentication process that allows a user to access multiple applications with one set of login credentials. This feature allows clients to host all their employee login credentials and allows the SafetySkills Learning Management System (LMS) to interact with the client’s system for authentication when logging in. Additionally, optional Single Sign-On for SafetySkills allows for users to have the option of logging in through SSO, or by entering their login credentials to access the SafetySkills LMS directly. This means that clients have the ability for users who are not in their SSO or LDAP systems (such as temporary employees, contractors, etc.) to still have access to their Learning Management System.

How To Configure Your SSO Settings

  • Once you have SSO enabled for your SafetySkills account, when logged in to the system, you can select “Settings” on the left side of the page within the menu bar, and then select “Account Information” towards the bottom. Please note, your user type must have the permission “Can Modify Account Settings” to access this page.

  • When you reach this page, there should be a section labeled “Single Sign-On.” Within this section lie the settings you have the ability to modify for the feature. Below are descriptions of the settings you will find in this section:

Expected Properties

  • Status
    • This is a required field. Options include:
      • Disabled” is selected by default. This means that SSO is not turned on, and users will log in using their SafetySkills credentials.
      • Active – Required” will enable traditional SSO for the account where each user will be required to log in via the SSO system.
      • Active – Optional” will enable the optional SSO feature, allowing your users to choose logging in via SSO or using their SafetySkills credentials. This may be the best option to test with while configuring SSO to ensure that users will always have access to SafetySkills while testing.
  • Description
    • This field is optional.
    • This field is most likely called “Display Name” in your metadata, and can be used as a way of labeling this particular SSO configuration. The naming convention is entirely up to the client’s discretion.
  • Entity ID
    • This is a required field.
    • This is the unique identifier for your Idp to make a successful connection. This information should be provided within your metadata.
  • Single Sign On Service Url
    • This is a required field.
    • This entry will provide the endpoint for our SP metadata to connect with. This information should be provided within your metadata.
  • Single Logout Service Url
    • This field is not required.
    • If this entry is included, your users will also be logged out of all other associated platforms while using the SSO login credentials.
  • Signature Algorithm
    • This is a required field. Options include:
      • SHA1 (system default)
      • SHA256
  • Certificate
    • This is a required field.
    • The certificate is used to sign identity information that is being sent securely from the identity provider (client) to the service provider (SafetySkills). This information should be provided within your metadata.
  • SAML Button Text
    • This is not a required field.
    • This is customizable text that displays within the button on the SafetySkills log in page to be redirected to log in via SSO. By default, this text will be labeled “Sign in with SSO.”

Additional Options

  • Disabled IdP Initiated SSO
    • This box is unchecked by default.
    • If you leave this box unchecked, users will be able to access SafetySkills from your IdP. If you check this box, users will be required to go to your SafetySkills URL.
  • Sign Authn Request
    • This box is checked by default.
    • We recommend this box remains checked as it provides additional verification.
  • Force Authorization
    • This box is unchecked by default.
    • If this feature is enabled, users will be forced to enter their credentials upon each login. We recommend checking this setting if you have multiple users utilizing the same device.
  • Assertion/Response Signed
    • This box is checked by default.
    • We recommend this box remains checked as it provides additional verification. If checked, the assertion and/or response can be signed.
  • Encrypt Assertion
    • This box is not checked by default.
    • When this feature is enabled, the assertion will be encrypted.
  • Disable Password Reset Link
    • This box is not checked by default.
    • When this feature is enabled, the link to reset a password will not be visible on the login page.

If you have any questions, please contact your Training Success Manager for additional assistance!