Adding a New SSO Connection

The information presented in this topic refers to the self service Learn Single Sign-On (SSO) feature. If you have a custom SSO built by the Oracle Taleo Learn Cloud Services team, and you are looking for assistance, please refer to any documentation they have provided.

You can add new SSO connections as needed. On the Integration Connections page, click Add. A three-tabbed window opens. Complete the information on this page.

The information you enter here is unique to your organization and must be provided by your IT Department. Please review the topic called SSO Information for Your IT Department before proceeding.

VERY IMPORTANT! If you have a custom SSO set up by our Services team, do not make changes to the Learn SSO pages without first contacting Support. Making changes to these pages while you have an active SSO setup can create problems with access to your LearnCenters. If you currently have a custom SSO that meets your needs, you may keep it for as long as you wish to do so. If you want to migrate from your custom SSO to the Learn product SSO, please open a Service Request (SR) through My Oracle Support to make that request. (Note that if you do NOT have a current custom SSO, no Service Request is necessary in order for you to set up the Learn product SSO.)

On the ControlPanel:

1. Click   on the Integrations menu to expand it.
2. Click Integration Connections.

Integration Type – Set to Learn SSO. You cannot change this setting.

3. Type the IdP Identifier given to you by your IT Department for your organization’s identity provider. Your IT Department must provide you with the SAML issuer that is in your organization’s Assertion.

For example: <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> .

4. Type a free form Description. This is information intended to help you distinguish between multiple SSOs you may create. Your IT Department may be able to assist you with this.

SAML Protocol - Set to SAML 2.0. You cannot change this setting.

If you would like to learn more about SAML 2.0, visit http://en.wikipedia.org/wiki/SAML_2.0 for a detailed description.

5. Type your IdP Unique Identifier. This information must be provided by your IT Department. This is a required field that will map your IdP’s unique identifier to the LearnCenter unique identifier. This free form field is limited to 50 characters. Enter the identity provider's value that uniquely identifies the User. In the SAML SSO it is expected that the User’s Unique ID will be sent in the SAML NameID.

For example:   <samlp:NameIdPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/> </samlp:AuthnRequest>   <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"> 3f7b3dcf-1674-4ecd-92c8-1544f346baf8 </saml:NameID>   NOTE: The value entered in the text box is case sensitive and must be an exact match to your IdP value.

6. Type the Learn Unique Identifier. This information must be provided by your IT Department. Required field that allows for selection of the unique identifier to be used in your Learn implementation to identify the user that is access the system. Standard and custom User fields are available to give you flexibility in determining your unique identifier.

• Username
• Email
• Email2
• Custom fields. Rules for using Custom fields: The custom field must be a text box, and it must be a shared User field. It also must be a field that was created at the same level (Root or Sub-LearnCenter) for which the SSO connection is being configured.

8. Type your Authentication URL. This information must be provided by your IT Department. This is a required field that must contain the URL to which authentication requests will be redirected. This is a free form text field that must be completed correctly.
9. (Optional) Type your Logout Page URL. This information must be provided by your IT Department. Some IdPs support logout requests from the service provider. When a User logs out of LearnCenter, the session ends, and if you have entered a Logout Page URL here, then a logout post will be sent to the IdP as well.
10. (Optional) Type your Error Page URL. This information must be provided by your IT Department. Some IdPs support error messages for failed login attempts from the service provider. When an error occurs, if you have entered an Error Page URL here, then the error message will be posted to the IdP to be displayed to the User. If no URL is present, the error information will be displayed on the LearnCenter error model.
11. Upload your SSO Certificate. This is a third party security certificate that can be obtained from your IT personnel. Required to upload the SHA-2 or SHA-2 SHA-256SHA-256 certificate.
12. Upload Existing Certificates. These certificates must be provided by your IT Department. Requires that a SHA-2 or SHA-256 certificate has been uploaded and selected.
13. Click Save.
14. Click the LearnCenters tab.

This tab enables you to designate which sub LearnCenters should be included for your Single Sign-On. For example, you may want to use Single Sign-On from the root LearnCenter and all child sub LearnCenters of the root, or you may want to pick a sub LearnCenter and enable Single Sign On for that sub LearnCenter and all of its child sub LearnCenters.

15. Click Add.

16. Filter for and select the LearnCenters you want to include.

You can also pick and choose individual sub LearnCenters you want to include in the Single Sign-On. This page provides you with the flexibility to set Single Sign-On in the way that works best for your organization. You must choose at least the root or one sub LearnCenter to create a connection.

Logic has been built into this feature that prevents you from adding sub LearnCenters that have already being used in another SSO connection or Fusion HCM connection.

The Edit Integration Connection page also enables you to activate "User Management" (on the User Management tab explained below). User Management is a powerful feature that allows for the creation of new User Accounts, insertion of existing User Accounts into other LearnCenters, and the updating of existing Users Accounts in real time through the SSO. On the LearnCenters tab, you have the ability to assign User Accounts to a default User role, or to any other role you have created for that LearnCenter. User Management is useful for both external or internal Users.

You have the ability to activate or deactivate User Management in individual ssub LearnCenter simply by changing the status. The default status is inactive (). However it is not recommended that you activate User Management in LearnCenters that already have a custom User Integration built by our Services team.

17. Click Return Selected.

    Optional Steps

18. Optional: On the LearnCenters tab, select the Default Users Role. This is the default role to which all new Users will be assigned. If existing Users have been updated since previously coming into a LearnCenter, their information will be updated.
19. Optional: If you want to set up User Management, click the User Management tab.

You can also use the User Management tab to map up to 50 User fields. This is done to relate LearnCenter fields to corresponding IdP field for authentication. Choose a LearnCenter from the drop-down list or select All. Type an IdP field and then select a LearnCenter User field. Username is the only required field. All Standard and Custom fields are supported. Some fields require specific values to work properly. See the sections below for specific value settings. There is also a test mechanism to help you determine if you have entered all of your values correctly.

20. Click Save.

Work Flow Diagram

The following work flow diagram provides more detail for the steps required for setting up SSO for your LearnCenter.

Related Topics

Copyright © 2010-2018, Oracle and/or its affiliates. All rights reserved.