Setup Single sign-on (SSO)

Edjet LMS Server 6.4

Setup Single sign-on (SSO)

Edjet LMS support the Single sign-on advanced user identity management using SAML 2.0 protocol, an authentication scheme that allows a user to log in with a one-button.

SSO setup require the Edjet LMS to use https protocol.

User accounts

The user account being authenticated has to exist in the Edjet LMS database.

You can create and synchronize user accounts in Edjet LMS using Active Directory connector.

Setup the SSO authentication

All the setting and options of the SSO connector can be managed in the admin panel.

To setup SSO authentication:

Sign in to Edjet LMS admin.
In the menu click Settings and then click System
Click tab SSO.
Check option Enable SAML SSO authentication.
Enter SSO settings and credentials.
See settings and options below.
In the toolbar click Save.

Settings and options

Setting	Options and description
saml_sso	Enable or disable SAML SSO authentication false true Data type: boolean
saml_entity_id	Identifier of the Identity Provider (IdP) entity - must be an URI Data type: string
saml_sso_url	SSO endpoint of the IdP (Authentication Request protocol) URL Target of the IdP where the Authentication Request Message will be sent Data type: string
saml_sls_url	SLO endpoint of the IdP URL Location of the IdP where SLO Request will be sent Data type: string
saml_x509cert	Public x509 certificate of the IdP Data type: string

Edjet LMS SAML SSO endpoints

Edjet LMS offer following SAML SSO endpoints to the IdP:

Entity ID - URL contains SAML SP (Edjet LMS) metadata in XML format:
https://<hostname>/components/saml_metadata.php
Reply URL - Assertion consumer service (ACS) - URL Location where the <Response> from the IdP will be returned:
https://<hostname>/login?saml_acs
Logout URL – URL location where the <Logout Response> message MUST be returned to the requester:
https://<hostname>/login?saml_sls

Third party IdP settings

Microsoft Azure Cloud

Documentation: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps
Use same url for "saml_sls_url" as for "saml_sso_url"
Logout URL setting field is not available in SSO section of enterprise application. To fill this field go to: Azure Active Directory → App registrations → View all applications → select application → Settings → Properties → Logout URL field

Microsoft Active Directory Federation Services (MS AD FS)

Additional IDP settings:

'security' => array (
'lowercaseUrlencoding' => true,
'requestedAuthnContext' => false,
),

Logout issue:

ADFS requires signed logout request. Request could be signed by self signed certificate. (https://www.samltool.com/self_signed_certs.php). Public x509 cert should be registered on ADFS side. There are a lot of issues with signed communication between php-saml and ADFS (https://github.com/onelogin/php-saml/issues/251, https://social.technet.microsoft.com/Forums/en-US/bc71bd77-018a-4faa-9147-f93afceaf218/logout-response-signature-issue?forum=ADFS, https://github.com/onelogin/java-saml/issues/130)
We can use WS-federation sign out (https://social.technet.microsoft.com/wiki/contents/articles/1439.ad-fs-how-to-invoke-a-ws-federation-sign-out.aspx), but with some restrictions:
- first logout is OK
- next logout is possible after 10 minutes (https://stackoverflow.com/questions/32357669/adfs-3-0-single-sign-out-with-relying-party-sts)
- user can delete browser cookies
- user can logout directly using ADFS UI: https://<ADFS_URL>/adfs/ls/idpinitiatedsignon.aspx

Connect external services

Connect Mail server (SMTP) Superadmin
Connect Active Directory (AD) Superadmin
Setup Single sign-on (SSO) Superadmin
Setup OAuth sign in (via Google, Linkedin, Facebook) Superadmin