SAML Single Sign On
Below are the details required for the production instance.
IP address: sso.viewcentral.com – 166.78.74.66
Assertion Consumer Service:
Entity ID:
Start Page: https://inter.viewcentral.com/events/cust/default.aspx?cid=<company_id>&pid=1
Single Logout URL:
https://sso.viewcentral.com/ServiceProvider/Attendee.asmx/LogoutReceive?cid=<company_id>&pid=1
LTO supports SSO with and without SAML. With standard (non SAML) SSO, LTO validates the attendee’s username and password or combination of first name, last name, and email
With SSO/SAML enabled, the Training Ops application will verify an assertion that is posted to the system and allows the single sign-on if the assertion is true.
Standard SSO uses an XML post to pass the attendee to the Training-Ops Attendee View pages. SSO/SAML can be used with the Attendee View pages and the Administration View access.
SAML Configuration
(Note: The following screenshot is the configuration page for Attendee Views)
Step 1: Setup SSO/SAML support at the identity provider
-
SAML Endpoint URL – Litmos will provide the URL to where the SAML assertion is sent
-
Admin: https://sso.viewcentral.com/ServiceProvider/Admin.asmx/ReceiveAuthResponse?cid=<company_id>&pid=<product_id>
-
Attendee: https://sso.viewcentral.com/ServiceProvider/Attendee.asmx/ReceiveAuthResponse?cid=<company_id>&pid=<product_id>
Step 2: Enable and configure SSO/SAML in your LTO account
You will need to access the single sign-on configuration screens and configure the settings as needed for Admin and Attendee Views.
The configuration screen consists of 2 tabs: one for configuring SSO for the Admin view, and one for configuring SSO for the Attendee views.
To configure SAML for the Attendee Views:
-
Select the option, Enable Attendee SSO.
-
Enter the Issuer information in the field provided. The Issuer is a unique identifier (in the form of a URL and is also referred to as an entity ID) for the identity provider.
-
As needed, check the option box for Disable VC login Attendee View. When this option is selected, attendees will login in through the identity provider’s interface.
-
As needed, enter the information for the login screens: Start Page, Login Page, Logout Page, and Logout Success Page.
-
As needed, enter the url for the Custom Error URL in the field provided.
-
Upload the Identity Provider Certificate. The certificate file must have a .cer extension.
-
Click on Browse to open a find window
-
Locate the certificate on your local machine and select it.
-
Click open. The file will be uploaded when you save the record.
-
-
Save
Attendee View SAML Notes
Once SSO/SAML is enabled for the Attendee view, the following attendee view login and password options are impacted:
-
Attendee user account and password settings – these settings will no longer be in effect. For example, user lockout and password expiration settings will no longer be in effect. The identity provider will assume responsibility for managing the user’s identity.
-
LTO XML SSO support is disabled when SAML SSO is used.
-
Attendee login setting – When SSO/SAML is enabled, the option “Provide an optional login screen for attendees” will no longer be supported. The user cannot enable SSO/SAML for the attendee view, if the Remember Login and Password and Login is optional options are selected in the attendee view login settings.
SSO SAML Settings
Setting |
Description |
Required |
Issuer |
Unique identifier (in the form of a URL and is also referred to as an entity ID) for the identity provider. |
Yes |
SAML User ID Type |
Options: Assertion contains the Federation ID from the User object (Not supported at this time). |
Yes |
SAML User ID Location |
Options: User ID is in an Attribute element (Not supported at this time). |
Yes. default= Assertion contains User’s LTO username |
SAML Binding Type |
The transmission method used by the identity provider. Note: there are 3 options ( HTTPPost, HTTPRedirect, or HTTPArtifact) HTTPPost is the only transmission method supported at this time. |
Yes |
Disable VC login |
User is not allowed to login using the LTO login page. Note: When this option is selected, only the VC super user and System Administrators can log in from the LTO login page |
No. Default=Y (option selected) |
Start Page |
The start page is the page the user attempted to access before they were authenticated. Admin view: Attendee view: http://<server>.viewcentral.com /events/cust/default.aspx?cid= <company ID>&pid=<product ID> |
Yes
|
Login Page |
The single sign-on start page where LTO sends a SAML request to start the login sequence. |
Yes |
Logout Page |
The URL to direct the user to when they click the Logout link in LTO. This is also the page the user is redirected to when the user’s session expires. |
Yes |
Custom Error URL |
The URL to a custom error page if there is an error during the SAML login to LTO. |
No. If a URL is not specified, the user will be directed to the LTO login error page
|
Identity Provider Certificate |
Identity provider’s authentication certificate is uploaded to LTO. The certificate file must have a .cer extension. |
Yes |