This document provides a step-by-step guide on configuring Entra ID for Single Sign-On (SSO) authentication using Security Assertion Markup Language (SAML).
Best Practices
Use a unique identifier for each application. This will help avoid conflicts and confusion between different applications that use SAML-based SSO with Entra ID.
Verify the SAML configuration values. Make sure the values for the entity ID, reply URL, sign on URL, and logout URL match the ones provided by Skillable and Entra ID. Any mismatch could cause authentication errors or unexpected behavior.
Test the SSO functionality before deploying it to production. Use a test account or a test environment to verify that the SSO works as expected and that the user attributes and claims are mapped correctly.
Keep the Entra ID and Skillable accounts in sync. If there are any changes to the user accounts, such as adding, deleting, or updating users, make sure to reflect them in both Entra ID and Skillable. This will ensure a consistent and seamless user experience.
Set Up Single Sign On (SSO) for Entra ID
SAML is an open standard that allows Identity Providers (IdP) and Service Providers (SP) to send authorization credentials to each other, to authenticate a user. This allows using one set of credentials to log in to multiple services and/or websites.
Skillable supports Microsoft Entra ID, Google Account OAuth and Microsoft Accounts. Upon request and additional configuration, Skillable can support SAML 2.0 and OpenID Connect identity providers. Skillable does not support Service Provider Initiated logins.
Skillable Support Required for Configuration
All values in brackets in the below sections are custom and will be determined after engaging our Support team. Steps in this document cannot be configured without the assistance of Skillable Support staff, the information in this document is provided to set expectations on the various pieces of information that will be needed to establish a Single Sign-On setup for your organization.
Skillable Studio
Name | Description | Value |
|---|---|---|
Unique Identifier (Entity ID) | This value must be unique across all applications in your Entra ID tenant. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_LOD-PROD |
Reply URL (Assertion Consumer Service URL) | The reply URL is where the application expects to receive the authentication token. This is also referred to as the "Assertion Consumer Service" (ACS) in SAML. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_LOD-PROD/samlp/sso/assertionconsumer |
Sign on URL | This URL contains the sign-in page for this application that will perform the service provider-initiated single sing-on. | https://labondemand.com/AuthenticationProvider/SamlIdpRedirect?idp=B2C_1A_signup_signin_LOD_SAML-PROD-{Customer} |
Relay State | Leave this blank. Configuring Relay State is not neccessary for this configuration. | N/A |
Logout URL | This URL is used to send the SAML Logout response back to the application. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_LOD-PROD/samlp/sso/logout |
Training Management System (TMS)
Name | Description | Value |
|---|---|---|
Unique Identifier (Entity ID) | This value must be unique across all applications in your Entra ID tenant. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_TMS |
Reply URL (Assertion Consumer Service URL) | The reply URL is where the application expects to receive the authentication token. This is also referred to as the "Assertion Consumer Service" (ACS) in SAML. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_TMS/samlp/sso/assertionconsumer |
Sign on URL | This URL contains the sign-in page for this application that will perform the service provider-initiated single sing-on. | https://{TMS-Site}.learnondemand.net/User/CurrentTraining (or any designated landing page) |
Relay State | Leave this blank. Configuring Relay State is not necessary for this configuration. | N/A |
Logout Url | This URL is used to send the SAML Logout response back to the application. | https://{TMS-Site}.learnondemand.net/User/Logout |
Insights
Name | Description | Value |
|---|---|---|
Unique Identifier (Entity ID) | This value must be unique across all applications in your Entra ID tenant. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_portal |
Reply URL (Assertion Consumer Service URL) | The reply URL is where the application expects to receive the authentication token. This is also referred to as the "Assertion Consumer Service" (ACS) in SAML. | https://learnondemandsystemsb2c.b2clogin.com/learnondemandsystemsb2c.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions_TMS/samlp/sso/assertionconsumer |
Sign on URL | This URL contains the sign-in page for this application that will perform the service provider-initiated single sing-on. | https://portal.learnondemandsystems.com/Authentication/SamlIdpRedirect?idp=B2C_1A_signup_signin_TMS_SAML-PROD-{Customer} |
Relay State | Leave this blank. Configuring Relay State is not necessary for this configuration. | N/A |
Logout Url | This URL is used to send the SAML Logout response back to the application. | https://portal.learnondemandsystems.com/Authentication/LogOut |
User Attributes and Claims
Ensure the following User Attributes are configured.
Attribute Name | Attribute Syntax |
|---|---|
Givenname |
|
Surname |
|
Emailaddress |
|
Name |
|
Unique User Identifier |
|
If these are not configured, select the Edit button on the User Attributes and Claims section, and modify each value.
Application Setup with Skillable
Open a support ticket and provide Skillable with the following URLs The values in these URLs will vary. The following is an example of how these may look.
Value Name | Example |
|---|---|
SAML Single Sign-On Service URL | https://login.microsoftonline.com/{Tenant ID}/saml2 |
SAML Entity ID | https://sts.windows.net/{Tenant ID}/ |
Sign-Out URL | https://login.microsoftonline.com/{Tenant ID}/saml2 |