Promote SSO general information
The Promote Learning Platform supports Single Sign On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (IdP) rather than obtaining and using a separate username and password handled by Promote.
Under the SSO setup, Promote will work as a Service Provider (SP) through SAML 2.0 (Secure Assertion Markup Language).
SSO is available both via Microsoft Active Directory Federation Services 2.0 and Shibboleth 2.0 via SAML as well as via common Oauth2 providers such as LinkedIn, Google and Facebook.
Promote require AD FS 2.0 or later
To enable your AD FS to communicate with Promote you first need to add a new Relying Party Trust using the “AD FS” profile, which supports SAML 2.0.
- Enable support for the SAML 2.0 Web SSO protocol and use https://auth.promotelogin.com:443/auth/saml/callback as the SSO service URL.
- Add the following relaying party trust identifiers:
- Add the following issuance transform rules for the claims sent for this relaying party trust:
- Use the “Send LDAP attributes as claims” rule template, with the following mappings of LDAP attribute to outgoing claim type:
- Given-Name → Given Name
- Surname → Surname
- E-Mail-Addresses → E-Mail Addresses
- User-Principal-Name → UPN
- Use the ”Transform an Incoming Claim” template with the following values:
- Incoming claim type: Primary SID
- Outgoing claim type: Name ID
- Outgoing name ID format: Persistent
- Please check ”Pass through all claim values”.
In order to configure the platform to use SSO via SAML 2.0 we need:
- A federation meta data file for your AD FS so we can configure the SSO on our side
- A technical contact who will configure the AD FS.