Through the Litmos SAML 2.0 integration, organizations utilizing SAP’s Identity Authentication Service can, through an IdP Initiated flow, authenticate into Litmos. 

Here are the steps for a configuring the SAP Identity Authentication Service to utilize SAML with Litmos. Please note that this article does not cover user management and access to the application or identity tenant, those questions can be answered in the SAP Help Portal.

You will need both administrative access to the SAP Identity Management application as well as Account Owner access within the Litmos application to proceed with these steps

1. Start with two windows, one for the SAP Identity Authentication Service and the second for the Litmos application. You will need to switch between the two a couple of times during this process.

2. The first step is to create a new application in the SAP Identity Authentication Service for the Litmos Service Provider via “Application & Settings” > “Applications” > ” + Add”, the name can be whatever you desire and updated at any time.

   

3. Next verifying that the “Type” is listed as “SAML 2.0” and proceed with opening the “SAML 2.0 Configuration” menu:

   

4. In your Litmos window, access the “Account Settings” > “Integrations” > “SAML 2.0” menu and copy your SAML Endpoint. You will use this value for the “Name” and “Assertion Consumer Service Endpoint” values found on the “SAML 2.0 Configuration” page within the Identity Management app.

   

   

5. Next scroll to the bottom of that same page and toggle the “Algorithm” drop-down to “SHA-256” and save.

   

6. You will then be brought back to the application menu where you can select “Subject Name Identifier” to choose the value that will pass as NameID. We recommend using email address but otherwise support any string that meets our username requirements. 

   

7. Upon saving, you can now map your assertion attribute values by selecting “Assertion Attributes” and adding supported fields described in the SAML 2.0 Single Sign On (SSO) with any Identity Provider (IdP) section of this document. The screenshot and list provided shows the minimum fields required. Please ensure that the case matches exactly as your assertion with fail if there are any discrepancies. 

   FirstName

   LastName

   Email

   

8. The final portion of this configuration will require you to download the IdP metadata from within the SAP Identity Authentication Service and insert it into your Litmos instance. You can find the metadata from within the “Applications & Resources” > “Tenant Settings” > “SAML 2.0 Configuration” page. On your way there, it would be ideal to also enable “IdP-Initiated SSO” to ensure you do not forget later as this is required for this application to function. 

   

   

9. Once downloaded, open the XML file in a plain text editor such as Notepad within Windows to ensure that no formatting is copied. Copy all the text except for the first tag that contains “<?xml version=”1.0″ encoding=”UTF-8″?>” and paste it into your “SAML 2.0” tile found in your Litmos Account Settings. Saving that text will enable the integration. 

To test your SSO, you will need to format the login URL as shown:

https://**YOUR IDP URL**.com/saml2/idp/sso?sp=https://**YourDomain**.litmos.com/integration/splogin

Please ensure that you have either enabled “Autogenerate Users” or are attempting to sign in as a user that has an active profile within Litmos. 

Deep Links

Deep-linking is possible using the following format, replace the URL parameter values to reflect your IDP initiated sign in URL and append the appropriate target URL. Note that RelayState is case sensitive and will not work if case is incorrect:

https://**YOUR IDP URL**.com/saml2/idp/sso?sp=https://**YourDomain**.litmos.com/integration/splogin&RelayState=https://**YourDomain**.litmos.com/**Destination**