Edjet LMS Cloud

Setup Single sign-on (SSO)

Superadministrator info

Edjet LMS support the Single sign-on advanced user identity management using SAML 2.0 protocol, an authentication scheme that allows a user to log in with a one-button.

SSO setup require the Edjet LMS to use https protocol.

User accounts

The user account being authenticated has to exist in the Edjet LMS database.

You can create and synchronize user accounts in Edjet LMS using Active Directory connector.

Setup the SSO authentication

All the setting and options of the SSO connector can be managed in the admin panel.

To setup SSO authentication:

  1. Sign in to Edjet LMS admin.
  2. In the menu click settings Settings and then click settings_applications System
  3. Click tab SSO.
  4. Check option Enable SAML SSO authentication.
  5. Enter SSO settings and credentials.
    See settings and options below.
  6. In the toolbar click save Save.

Settings and options

Setting Options and description
saml_sso

Enable or disable SAML SSO authentication

  • false
  • true

Data type: boolean

saml_entity_id

Identifier of the Identity Provider (IdP) entity - must be an URI

Data type: string

saml_sso_url

SSO endpoint of the IdP (Authentication Request protocol)

URL Target of the IdP where the Authentication Request Message will be sent

Data type: string

saml_sls_url

SLO endpoint of the IdP

URL Location of the IdP where SLO Request will be sent

Data type: string

saml_x509cert

Public x509 certificate of the IdP

Data type: string

Edjet LMS SAML SSO endpoints

Edjet LMS offer following SAML SSO endpoints to the IdP:

Third party IdP settings

Microsoft Azure Cloud

  • Documentation: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps
  • Use same url for "saml_sls_url" as for "saml_sso_url"
  • Logout URL setting field is not available in SSO section of enterprise application. To fill this field go to: Azure Active Directory → App registrations → View all applications → select application → Settings → Properties → Logout URL field

Microsoft Active Directory Federation Services (MS AD FS)

  • Additional IDP settings:
    'security' => array (
    'lowercaseUrlencoding' => true,
    'requestedAuthnContext' => false,
    ),

Logout issue:

  • ADFS requires signed logout request. Request could be signed by self signed certificate. (https://www.samltool.com/self_signed_certs.php). Public x509 cert should be registered on ADFS side. There are a lot of issues with signed communication between php-saml and ADFS (https://github.com/onelogin/php-saml/issues/251, https://social.technet.microsoft.com/Forums/en-US/bc71bd77-018a-4faa-9147-f93afceaf218/logout-response-signature-issue?forum=ADFS, https://github.com/onelogin/java-saml/issues/130)
  • We can use WS-federation sign out (https://social.technet.microsoft.com/wiki/contents/articles/1439.ad-fs-how-to-invoke-a-ws-federation-sign-out.aspx), but with some restrictions:
    • first logout is OK
    • next logout is possible after 10 minutes (https://stackoverflow.com/questions/32357669/adfs-3-0-single-sign-out-with-relying-party-sts)
    • user can delete browser cookies
    • user can logout directly using ADFS UI: https://<ADFS_URL>/adfs/ls/idpinitiatedsignon.aspx
Connect external services