This document outlines how LearnShare uses SAML for single-sign-on solutions. LearnShare will typically require a letter of engagement prior to implementing SAML on behalf of an organization, so please contact our support team if you’d like to get more information.
Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee. SAML dates from 2001; the most recent major update of SAML was published in 2005, but protocol enhancements have steadily been added through additional, optional standards.
The SAML specification defines three roles: the principal (typically a user), the Identity provider (IdP), and the service provider (SP). In the use case addressed by SAML, the principal requests a service from the service provider. The service provider requests and obtains an identity assertion from the identity provider. On the basis of this assertion, the service provider can make an access control decision – in other words it can decide whether to perform some service for the connected principal.
Before delivering the identity assertion to the SP, the IdP may request some information from the principal - such as a user name and password - in order to authenticate the principal. SAML specifies the assertions between the three parties: in particular, the messages that assert identity that are passed from the IdP to the SP. In SAML, one identity provider may provide SAML assertions to many service providers. Similarly, one SP may rely on and trust assertions from many independent IdPs.
SAML does not specify the method of authentication at the identity provider; it may use a username and password, or other form of authentication, including multi-factor authentication. A directory service such as LDAP, RADIUS, or Active Directory that allows users to log in with a user name and password is a typical source of authentication tokens at an identity provider.
Shibboleth is a standards-based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
The Shibboleth software implements widely used federated identity standards, principally the OASIS Security Assertion Markup Language (SAML), to provide a federated single sign-on and attribute exchange framework. A user authenticates with his or her organizational credentials, and the organization (or identity provider) passes the minimal identity information necessary to the service provider to enable an authorization decision. Shibboleth also provides extended privacy functionality allowing a user and their home site to control the attributes released to each application.
LearnShare leverages Shibboleth as our federated identity provider. LearnShare clients can leverage their own SAML-based authentication processes to create a single-sign on process.
SAML is in wide use in most enterprises, and you can contact your Networking/Security team to see how to leverage SAML with LearnShare in your organization.
We will require the following from your identity server:
LearnShare Identity Information
Required configuration on the client IdP
LearnShare assumes the “e-mail” will be used as the identifier, but other values are available for use. (i.e. employee id)
The subject of the SAML Assertion must include the NameID and it must include a format:
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xxx@email.com</NameID>
All Attributes must also include a format:
<AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
<Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="email">
<AttributeValue xsi:type="xs:string">xxx@email.com</AttributeValue>
</Attribute>
</AttributeStatement>
The Attributes that LearnShare is currently listening for are:
<Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="email" id="email" />
<Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="NameID" id="NameID" />
<Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="sn" id="sn" />
<Attribute nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" name="givenName" id="givenName" />