Introduction
This article provides a step-by-step guide on how to set up SAML Single Sign-On (SSO) for LMS3 using Microsoft Entra ID (formerly Azure AD). The process involves configuring SSO on both the Microsoft Entra ID portal and the LMS3 admin panel. This setup allows users to log in to LMS3 using their Microsoft Entra ID credentials, enhancing security and user experience.
Prerequisites
- A Microsoft Entra ID account.
- Access to the LMS3 admin panel.
- Basic understanding of SAML and SSO concepts.
Step 1: Setup SSO Project on Microsoft Entra ID
1. Create a New Application in Microsoft Entra ID
- Navigate to Microsoft Entra ID > Enterprise Applications.
- Click on + New Application > + Create your own application.
- Provide a name for your application (e.g., `scandlearn-sso`) and select the Non- gallery option.
2. Configure Single Sign-On
- Go to the created application and click on Set up single sign-on.
- Choose the SAML option.
3. Update Basic SAML Configuration
- In the Basic SAML Configuration section, enter the following temporary URLs:
- Identifier (Entity ID): `https://app.scandlearn.net/sso/temp/metadata`
- Reply URL: `https://app.scandlearn.net/sso/temp/acs`
- These URLs will be updated later with actual values from LMS3.
4. Edit Attributes & Claims
- Add the following claims:
- email: `user.mail`
- principalname: `user.userprincipalname`
- name: `user.displayname`
5. Download SAML Certificate
- Scroll down to the SAML Certificates section and download the Certificate (Base64). This certificate will be used in the LMS3 admin panel.
6. Copy Login URL, Entra Identifier, and Logout URL
- From the Set up {app-name} section, copy the Login URL, Microsoft Entra Identifier, and Logout URL. These values will be needed in the LMS3 admin panel.
Step 2: Configure SSO in LMS3 Admin Panel
1. Retrieve Identity Provider Credentials
- Go to the LMS3 admin panel at https://app.scandlearn.net/admin/configure/sso/saml`.
- Retrieve the following parameters from Microsoft Entra ID:
- Login URL
- Microsoft Entra Identifier
- Logout URL
- Certificate (Base64) (downloaded earlier)
2. Fill Out the Form in LMS3 Admin Panel
- Enter the retrieved parameters into the LMS3 admin panel form.
- Once the form is successfully saved, LMS3 will generate the actual URLs for the Identifier (Entity ID), Reply URL, Sign on URL, and Logout URL.
3. Update Basic SAML Configuration in Microsoft Entra ID
- Return to the Basic SAML Configuration section in Microsoft Entra ID.
- Replace the temporary URLs with the actual URLs generated by LMS3.
4. Assign Users to the SSO Application
- In Microsoft Entra ID, navigate to Users and Groups.
- Assign users to the newly created SSO application.
Step 3: Test the SSO Configuration
1. Login as an Assigned User
- Go to `https://myapps.microsoft.com/` and click on the SSO application.
- The user should be redirected to LMS3 and logged in automatically using their Microsoft Entra ID credentials.
2. Troubleshooting
- If login fails, re-download the Certificate (Base64) from Microsoft Entra ID and update it in the LMS3 admin panel.
Additional Notes
- Ensure that you've configured SSO in the LMS3 admin panel before attempting to log in.
- If you've not configured SSO, an error message will be displayed, and the user trying to log in will not be able to proceed with SSO login.
Conclusion
By following these steps, you can successfully set up SAML SSO for LMS3 using Microsoft Entra ID. This integration simplifies the login process for users and enhances security by leveraging Microsoft Entra ID's robust authentication mechanisms.