Requirements and Overview
These are the requirements for using the OneLogin/Emtrain SSO integration:
- Active Emtrain account
- The account’s API Key (obtain this by navigating to the Site Config area of the Manage Tools and choose the Integration tab).
- Active OneLogin account
- Any user who will be signing into Emtrain via OneLogin must have an email address
- Email addresses must be unique per user
- The user must have the Emtrain SSO app assigned/available to them in OneLogin
The SSO integration uses the SAML 2.0 protocol. Setup of the integration consists of creating a custom SAML connector in OneLogin, taking the SAML endpoint and X.509 certificate generated for the custom SAML connector and entering these into the SSO configuration form on the Emtrain account.
Completing the SSO integration disables username/password based authentication on the Emtrain account.
Emtrain uses email address to match the email in the SAML assertion to the learner’s corresponding Emtrain user.
Creating the Custom SAML Connector
- In the Administration section of your One Login account, click the Applications menu in the top nav bar, select Applications.
- Click the Add App button.
- In the Find Applications section, search for SAML Test Connector. Click on the SAML Test Connector (Advanced) item to start creating the SSO application.
- Enter Emtrain in the Display Name field. This is the name that is displayed in your learner’s One Login portal.
- Upload the attached logo file(s) for the Rectangular Icon and/or Square Icon.
- Click the Save button.
Configuration
In the Configuration section, enter the following URLs into the corresponding text fields. To create the URLs for your account using the examples below, replace the “example” subdomain with your account’s subdomain in all 4 example URLs. Additionally, replace the example API_KEY value (shown as all zeros here) in the ACS URL and ACS URL Validator with your account’s API key.
- ACS (Consumer) URL: https://example.ai-api.emtrain.com/authentication/saml?API_KEY=00000000000000000000000000000000
- ACS (Consumer) URL Validator*: ^https:\/\/example\.ai\-api\.emtrain\.com\/authentication\/saml\?API\_KEY\=00000000000000000000000000000000$
- RelayState: https://example.app.emtrain.com/saml
- Audience (EntityID): https://example.app.emtrain.com
Leave all other settings in this section set to the default values or blank.
- For more information on the ACS (Consumer) URL Validator, refer to this OneLogin support article: https://onelogin.service-now.com/support?id=kb_article&sys_id=c89fefdadb2310503de43e043996195a&kb_category=93e869b0db185340d5505eea4b961934
Parameters
For the Parameters section, create the following 4 custom SAML fields. Note: The field names are case-sensitive, make sure to use the capitalization shown below.
- Name: API_KEY
- Value: Select -Macro-, then paste your account’s API key into the text field.
- Include in SAML assertion: Yes
- Name: Email
- Value: Select Email from the list of available fields.
- Include in SAML assertion: Yes
- Name: FirstName
- Value: Select First Name from the list of available fields.
- Include in SAML assertion: Yes
- Name: LastName
- Value: Select Last Name from the list of available fields.
- Include in SAML assertion: Yes
- Click the + icon to create a new custom SAML field.
- In the New Field dialog box, enter the name of the SAML field in the Field Name field. Check the Include in SAML assertion checkbox. Click the Save button to create the field.
- In the Edit Field dialog box, Click the Value menu, and select the corresponding value for the field. Note: The API_KEY field will require you to enter your account’s API key in a second text field after selecting the -Macro- option. The other 3 custom SAML fields are standard OneLogin user fields.
- When completed, the Parameters section should appear as shown below. Click the Save button.
SSO
The SSO section of your SAML Custom Connector contains some information that you or your Emtrain account administrator will need to enable SSO on the Emtrain account.
- Copy the SAML 2.0 endpoint (HTTP) URL.
- Copy the X.509 Certificate by clicking the View Details link beneath the X.509 certificate section and clicking the Copy to Clipboard button located next to the certificate.
Enabling SSO in your Emtrain account
Log in to your Emtrain AI account as you Account Administrator user. In the Manage section, click the Site Config button in the left sidebar.
Note: Completing the steps described below will disable Username/Password authentication on your Emtrain AI account.
- Select the Integrations tab.
- In the Single Sign On (SSO) section, check the Enable SSO box, then select OneLogin as the SSO provider.
- Paste the contents of the certificate between the ---BEGIN CERTIFICATE---/---END CERTIFICATE--- lines in the Certificate text field. Note: Do not include the ---BEGIN CERTIFICATE---/---END CERTIFICATE--- lines in the Certificate text field!
- Paste the SAML 2.0 Endpoint value into the SSO Entry Point text field.
- Optionally, if you wish to redirect your users to a specific URL when they log out of Emtrain, enter that URL in the SSO Logout Redirect URL text field. If this field is left blank, users will be redirected to an Emtrain Logged Out page upon logging out
- Click the Save button to finalize the integration.
Note that once the integration is saved, the Username/Password authentication will be disabled on the Emtrain account. For any User visiting your Emtrain account, the system will redirect them into the OneLogin SAML authentication flow instead of prompting the visitor to log in with their username and password.
Testing SSO
- In OneLogin, add the application to the test user(s).
- In Emtrain, create user(s) with the same email address as the test user(s). The email address is used as the identifier to match the email address on the SAML assertion to a user on the Emtrain account and must match in both platforms.
- The test user should test the application tile in their OneLogin portal and verify that they are logged in to Emtrain as their test user.
- The test user should open a new Incognito/private browsing session and visit the Emtrain account login URL. The user should be redirected to the SAML 2.0 Endpoint URL and prompted to log in to their OneLogin account. The login form should state Connecting to Emtrain above the Username text field.
- After logging into OneLogin, the user should be redirected to their Emtrain learner profile.