To configure the SSO integration of Litmos with Azure Active Directory (AD), you need to create an application.
To create an application, perform the following steps:
-
In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
-
Navigate to Enterprise applications. Then go to All applications.
-
To add new application, click New application button on the top of dialog.
-
In the search box, type Litmos, select Litmos from result panel then click Add button to add the application.
Configure Azure AD Single Sign-On
In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Litmos application.
To configure Azure AD single sign-on with Litmos, perform the following steps:
-
In the Azure portal, on the Litmos application integration page, click Single sign-on.
-
On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable single sign-on.
-
Under basic SAML configuration section, perform the following steps:
-
a. In the Identifier textbox, type a URL using the following pattern: https://<companyname>.litmos.com/integration/splogin
-
b. In the Reply URL textbox, type a URL using the following pattern: https://<companyname>.litmos.com/integration/splogin
Note – If you are on the AU or EU instance of Litmos, update the URLs accordingly:
AU – litmos.com.au / EU – litmoseu.com -
-
Ensure that the Default box is checked for both the Identifier & the Reply URL:
-
As part of the configuration, you need to customize the SAML Token Attributes for your Litmos application.
Select the edit icon to display the ‘User Attributes & Claims’ values.
We recommend that you remove the default claims (except user.userprincipalname) and re-create the following (attributes are case-sensitive):
|
Attribute Name |
Attribute Value |
|
FirstName |
user.givenname |
|
LastName |
user.surname |
|
|
user.mail |
When creating, leave the ‘Namespace’ value blank:
5. On the SAML Signing Certificate section, download the metadata XML file and then save the certificate file on your computer.
6. In a different browser window, sign-on to your Litmos company site as an account owner.
7. In the navigation bar on the left side, click Accounts.
If your menu bar is not on the left hand side, click on your initials (icon located at the top right corner) to bring up the drop down menu and select Account Settings
8. Click the Integrations tab and then click SAML 2.0 tab.
9. Open your metadata XML file in notepad, copy the content of it into your clipboard, and then paste it in the SAML Metadata field
Important! Exclude the following first line of the metadata as Litmos gives an error if it is included in the metadata: <?xml version=”1.0″ encoding=”UTF-8″?>.
Important! Make sure “Verify assertion signatures and encryption” is unchecked. This is not supported by Azure because Azure uses self signed certificates.
Assign this application to yourself in Azure portal and test single sign-on
Deep Linking to a Course
Deep linking provides a method for efficiently directing a user to a specific page in Litmos Training rather sending them to the home page. This is typically done for courses and learning paths. To use this functionality, you append a RelayState parameter to the user access URL of the enterprise application configured in Microsoft Azure. The deeplink is constructed as follows:
https://myapps.microsoft.com/signin/{Application ID}?tenantId={Tenant ID}&RelayState=https://{Domain}.litmos.com/course/{CourseID}
The first part of the deep link URL, shown in bold font, is found in Microsoft Azure.The RelayState parameter information comes from Litmos Training.
In Microsoft Azure, navigate to the Properties page for your enterprise application and locate the User access URL field. The value in this field is the first half of the deep link.
In Litmos Training, navigate to the desired page in the application, copy the URL from the browser window, and append it as the RelayState parameter value.
To get the link for a specific course, you can also navigate from the administrator view to Content, locate the course, and view the course settings. Copy the value in the Direct link to this course field and append as the RelayState parameter value.
Determine How Users Sign Into Litmos
You can determine how users can sign into Litmos: allow users to log in with a username/password and provide a link to the ‘User access URL’ on the login page, OR automatically sign in users via the ‘User access URL’:
Method 1: Allow users to login with a username/password and provide a link to the User access URL on the login page
Whilst in the application you created in Azure AD, obtain the ‘User access URL’:
-
Under Manage select Properties
-
Copy the ‘User access URL’ by selecting the blue copy icon (the URL should look like this: https://myapps.microsoft.com/signin/xxxxxx
In Litmos, sign in as an Account Owner
-
Go to “Account settings”.
-
Select “Messages & Settings”, and add your desired HTML code to the “Login” box. A template is shown below:
To login via Azure AD account, <a href=”User access URL”>Click HERE</a>
-
Scroll to the bottom of the page and click “Save” to apply your changes.
-
Next time you logout of your Litmos account, you will see the message appear in the login box.
In order to use this method, you will need to ensure you have uploaded your company logo via Settings >Theme. If you are using the default Litmos logo, the code will not appear on the login page.
Method 2: Automatically sign in users via the “User access URL”
Users will not be able to sign in with a username/password via this method. The user will need to exist in Litmos and added as a user in the App you created in Azure AD.
Please let Litmos Support know your ‘User access URL’ and we will apply the re-direct for you. The ‘User access URL’ can be found in the application you created in Azure AD:
-
Under Manage select Properties
-
Copy the ‘User access URL’ by selecting the blue copy icon (the URL should look like this: https://myapps.microsoft.com/signin/xxxxxx
Note: If you use Method 2, you will not be able to utilize the ‘Sign Out’ option, as signing out will re-direct you back to your Azure User Access URL (thus signing the user back in). If you want users to be able to sign out of Litmos, please utilize Method 1.
Provision Azure AD User access
You will need to assign access to users via Azure AD to access Litmos via Single Sign On.
-
On the ‘Single Sign On’ page for the application, select ‘Users and Groups’ – then add individuals or groups from the ‘Add users’ button to assign access to the app via SSO. If they do not appear here, the user will not be able to login via SSO.
