Requirements and Overview
These are the requirements for using the Centrify/Emtrain SSO integration:
- Active Emtrain account
- The Emtrain account’s API Key (obtain this by navigating to the Site Config area of the Manage Tools and choose the Integration tab.)
- Active Centrify account
- Any user who will be signing into Emtrain via Centrify must have an email address
- Email addresses must be unique per user
- The user must have the Emtrain SSO app assigned/available to them in Centrify
The SSO integration uses the SAML 2.0 protocol. Setup of the integration consists of creating a custom SAML web app in Centrify, taking the Centrify Single Sign-On URL and X.509 certificate generated for the custom SAML web app and entering these into the SSO configuration form on the Emtrain account.
Completing the SSO integration disables username/password based authentication on the Emtrain account.
Emtrain uses email address to match the email in the SAML assertion to the learner's corresponding Emtrain user.
Creating the Custom SAML Web Application
- In the Dashboard of your Centrify Admin Portal, click the Apps menu. Select the Web Apps option from the Apps menu.
- Click the Add Web Apps button.
- On the Add Web Apps dialogue, select the Custom tab. Find the SAML Template and click the Add button.
- Click Yes when asked "Do you want to add this application?".
Settings
- On the Settings page, enter "Emtrain" in the Name field.
- Enter a relevant description in the Description field.
- Upload the attached logo file for the Logo.
- Click the Save button.
Trust
Click the Trust link in the application sidebar to open the Trust configuration. On this page you will obtain some information needed to enable SSO on your Emtrain account.
Identity Provider
- In the Identity Provider section, select the Manual Configuration radio button.
- Copy the Single Sign-On URL.
- Download the SHA265 Tenant Signing Certificate.
Keep this information handy. You will need to use this information later when configuring your Emtrain account to use the SAML web application.
Service Provider Configuration
Before starting this step, construct these following account-specific URLs by replacing the code-formatted sections with the appropriate details from your Emtrain account:
SP entity ID/Issuer/Audience:
https://example.app.emtrain.com/home
Assertion Consumer Service (ACS) URL:
https://example.ai-api.emtrain.com/authentication/saml?API_KEY={your account API key}
Relay State:
https://example.app.emtrain.com/saml
- Scroll down to the Service Provider Configuration section and select the Manual Configuration radio button.
- Enter each of the URLs you constructed in the previous step into their corresponding field.
- For the Recipient field, leave the "Same as ACS URL" checkbox checked.
- Click the Save button.
SAML Response
Click the SAML Response link in the application sidebar to start creating the custom SAML attributes used in the SAML workflow.
Note: The attribute names are case-sensitive, so enter them as displayed in the steps shown below!
- Click the Add button.
- Create the API_KEY attribute. This attribute takes a static value - your Emtrain account API key - so simply paste that in the text field. Use all capital letters when entering the Attribute Name.
- Create attributes for the 3 fields, Email, FirstName, and LastName, and map the Attribute Values to the appropriate LoginUser field. Refer to the table below for the exact values.
- When you've created all 4 attributes, click the Save button.
SAML attribute reference
Attribute Name |
Attribute Value |
API_KEY |
Your Emtrain account’s API key. |
|
LoginUser.Email: Select Email from the LoginUser dropdown menu |
FirstName |
LoginUser.FirstName: Select FirstName from the LoginUser dropdown menu |
LastName |
LoginUser.LastName: Select LastName from the LoginUser dropdown menu |
Permissions
Click the Permissions link in the application sidebar to add the SAML web app you just created to your set of test users. This step is not necessary, but it helps prepare you for testing the application once your Emtrain account has been configured to use the SAML web app.
- Click the Add button.
- Select any users, groups, and/or roles that you plan to use for testing, then click the Add button.
Enabling the SSO in your Emtrain Account
Log in to your Emtrain account as your Account Administrator user. In the Manage section, click the Site Config button in the left sidebar.
Note: once you have saved the integration, Username/Password authentication is disabled on your Emtrain account. Completing the steps described below will disable Username/Password authentication on your Emtrain account. Visiting your Emtrain account will redirect the visitor into the Centrify SAML authentication flow instead of prompting the visitor to log in with their username and password
- Select the Integrations tab.
- Check the box to Enable SSO. Select Centrify as the SSO provider.
- Paste the contents of the certificate between the ---BEGIN CERTIFICATE---/---END CERTIFICATE--- lines in the Certificate text field. Note: Do not include the ---BEGIN CERTIFICATE---/---END CERTIFICATE--- lines in the Certificate text field!
- Paste the Centrify Single Sign-On URL value into the SSO Entry Point text field.
- Click the Save button to finalize the integration.
Note that once you have saved the integration, Username/Password authentication is disabled on your Emtrain account. Visiting your Emtrain account will redirect the visitor into the Centrify SAML authentication flow instead of prompting the visitor to log in with their username and password.
Testing SSO
- In Centrify, assign the application to the test user(s) if you have not already done so.
- In Emtrain, create user(s) with the same email address as the test user(s). The email address is used as the identifier to match the email address on the SAML assertion to a user on the Emtrain account and must match in both platforms.
- The test user should test the application tile in their Centrify SSO portal and verify that they are logged in to Emtrain as their test user.
- The test user should open a new Incognito/Private browsing session and visit the Emtrain account home URL. The user should be redirected to the Centrify SSO URL and prompted to log in to their Centrify account.
- After logging into Centrify, the user should be redirected to the Emtrain Learner Environment.