This article describes an oldschool way of doing single sign on. While still fully functional, we recommend that you use ADFS for single sign on with Activate LMS if possible. See this article https://activatelms.zendesk.com/hc/en-us/articles/115003721873-Single-Sign-On-SSO-in-Activate-LMS-using-Active-Directory-Federation-Services-AD-FS- for more information
This article describes the implementation and configuration process of the Single Sign On module provided by Activate LMS that will provide a user friendly and seamless sign in with 3DES encryption. Please note that this requires assistance from an Activate LMS consultant and cannot be done singlehandedly. If you haven't been in contact with one of our consultants yet, please contact us on support@activatelms.com to hear more. In the following flowchart you can get a quick overview of what happens when one of your users logs in to your Activate LMS from an on-site device. In the example there's been set up user sync with AD.
The configuration of an SSO using user sync requires assistance from an Activate LMS consultant, so please contact us using this form to get in contact with us.
Requirements
The table below describes the technical requirements of our SSO module environment.
Server & IIS Version |
Windows Server 2008 IIS 7.0 |
Programming language |
.Net 4.0 |
IIS settings |
Set Integrated Windows Authentication to “enabled”. Set Anonymous access to “disabled”. IIS Server can deliver a simple HTML page IIS Server can deliver a simple ASP page IIS Server can deliver a simple ASPX page |
Will code be compiled or not compiled |
Compiled |
Will package run on its own site or as a page on an existing site |
It wil run on its own site. Must be configured as a standard site. |
Location / name of web.config file (this file will contain variables and parameters that can be changed) |
Root folder / web.config |
Login credentials |
Login credentials are by default created based on the AD field “sAMAccountName”. |
AD integration |
If “sAMAccountName” is used, to generate login credential then there is no need for AD integration. For other fields the SSO module must be placed on the same server as the AD and must be able to query the AD. |
Configuration
Follow these steps to set up the IIS on your server to support the SSO module. Depending on your Windows Server version you might experience differences in the IIS layout.
-
Add a new application pool, e.g. “ActivateSSO Website”, in IIS.
-
Now we must set the application pool to .Net 4, you can double click on your newly application pool to edit this.
- Now it's time to add website. You can do this by right clicking on Sites and selection Add Website.
- Specify the information to your needs. Please note that "mydomain" part of the hostname should correspond to your intranet domain, i.e. be the same as the one your employees’ PCs are using. Alternatively, you need to configure your browsers to trust the domain your server is located on.
- Now back in the right hand panel of the IIS Manager, click Advanced Settings.
- Now you can verify that the website is running on the correct application pool.
- When the web site is created, it is crucial that authentication is correctly configured. This is required for the SSO module to be able to retrieve user identity. In the Features View double click the Authentication page in the server manager.
- Now enable Windows Authentication and disable Anonymous Access. If Windows authentication is not listed then please follow the IIS setup guide here: http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication
-
Once the IIS application pool and website is configured, then go to the selected root folder and move the provided SSO module code package to that folder.
-
Then configure the security settings for the root folder, in the folders preferences > 1. & 2. Security > 3. find IISUSR and 4. grant read, write and execute permissions. You may want to verify setting on c:\inetpub\wwwroot.
-
Now go to your domain name/URL to test the setup. Set displayDebug to "true" in the web.config file if it is not already. For more details on web.config configuration, see next section.
Web.config configuration
The SSO module is configurable through the web.config file in the root folder of the website. All configurable settings are located in the <AppSettings> node of the config file. The below table lists the available settings, along with a description of their scope and examples of valid values.
Most settings are provided by Activate LMS and are summarized in the next section.
Please Note: Never comment out a key or remove it, this might trigger the SSO module to fail. If a value is not needed, you should rather set the value to be empty, i.e. "".
Key |
Purpose |
Value example |
---|---|---|
lmsLoginUrl |
The Activate LMS main URL page, used to generate the login URL. |
http://www.ActivateLMS.com |
requestTimeoutDelay |
Single Sign-On allowed request delay, in seconds. Used to state how long the created login URL is valid. |
400 100 40 |
companyName |
SSO company name. Must match the company name set up in your Activate LMS. |
Activate companyname |
securityToken |
SSO security token. Must match the security token set up in Activate LMS. |
Activatesso ssocompanyname secretword |
key |
SSO security key, used for 3DES encryption of login credentials. Must be 24 characters and match the security key set up in |
2B7681b55F034767E98ce5A7 Af2625115560DC817261DA65 B516EAeE06AB9FD7F799B06E |
domainName |
AD domain name on server, used to create lookup query if another field then sAMAccountName is used to generate login credentials. |
eff abc |
domainUserNameField |
Active Directory User Name field used to generate login credentials. If left empty sAMAccountName is set to default and no AD lookup is required. |
sAMAccountName |
displayDebug |
Set this to true to enable view of debug parameters, during implementation and test phase. Set to false when Activate LMS and the SSO goes live. |
True False |
testUser |
Use this parameter to verify that Activate LMS is set up correctly. Set the value to a user that exists in Active Directory to validate that the SSO component on the Activate LMS side works. Please note that if a username is set here it will overwrite the user that is being fetched from the Active Directory. Set this value to "" when done verifying that Activate LMS is set up correctly. |
akl
|
Activate LMS Configuration
Your Activate LMS consultant will handle this section. It defines the SSO related information stored in Activate LMS. Highlighted values should correspond to the settings in the SSO module web.config file.
Token Token should be changed to something more secure before go-live. Sometimes also named tklogin_key |
xxxxsso |
|
3DES Key for SSO Must be exactly 24 alphanumeric characters. For security, you should change this when system goes live. |
3DESKEY |
|
Username and Password |
All users’ passwords must be set to the same as their username. This is to be done in the user base data import routine so that a new user’s password is set to their username. It is possible to include a column in the user base data import file called PASSWORD. Set the value to the same as the users USERNAME. It is the client’s responsibility to ensure user data file from HRIS is updated with new column.
|
|
expire To be set dynamically. Format:
In Activate LMS |
Sample value: 2012-12-31T23:00:00 For testing, expiration will not be used. In Activate LMS the threshold will be set to -1 (= does not expire). |
|
Activate LMS Environment |
http://learning.companyABC.com |
|
Expiry of SSO Request (in seconds): The expiration is how long the URL is good for. -1 means forever. A typical value is 30-60. |
This will be -1 in first development phase. Can be changed later on. |
Other useful information
Login string example
This is a sample login string (not functional, for example only).
Debugging
Below screenshot shows, what the SSO login page should look like when debugging is set to "true". If you wish change the layout of the pages please edit the default.aspx file and the style.css file. The logo in the top left hand corner is located in the images subfolder and is named Logo.png.
Tasks
Overview
- Activate LMS and your company discuss and agree on options and encryption keys
- Your company installs and perform test on your company's site
- your company coordinate with the Activate LMS implementation consultant to turn on SSO on the Activate LMS side and verify it is working.
Activate LMS will be standing by to support your company in any question regarding the delivered code.
All questions & configuration related to the Activate LMS side will be handled by the Activate LMS consultant.
Summary of tasks to be done by your company
- Participate in discussion with Activate LMS mentioned above 1)
- Coordinate own technical resources
- Install files on local servers for SSO test to Activate LMS
- Modify files as needed (e.g. if different user object location to be used for retrieving user identifier)
- Coordinate with Activate LMS implementation consultant regarding testing SSO on Activate LMS production instance
Coordinate with Activate LMS technical consultant regarding configuration updates, code changes
Troubleshooting
Credentials are not passed on to IIS (You are not authorized/authenticated)
Solution: Either move your server to the intranet DNS domain (recommended), or reconfigure your browser.
This is how you reconfigure your browser:
Internet Explorer
Check that the ActivateSSO.<yourcompany.com> server is recognized as being in the “Intranet” zone or “Trusted”.
For IE 8 and below you can see the zone in the status bar at the bottom of the window.
For IE 9 and above, choose File->Properties to see what “Zone” you are in.
If the ActivateSSO server is listed as being in the “Internet” zone, then credentials will not be passed on and SSO will not work.
Reconfigure your browser by adding ActivateSSO.<yourcompany.com> as an intranet or trusted zone in IE. This is done via Tools -> Internet Options -> Security -> Click on “Local Intranet” -> Sites- > Advanced and add your ActivateSSO server:
Firefox
Write "About:config" in the address bar and accept the warning that pops up.
Edit the parameter "network.automatic-ntlm-auth.trusted-uris" and add the DNS domain name of the ActivateSSO server.
IIS Error: Validation of viewstate MAC failed
If you see the below error on the Microsoft Internet Information Server (IIS) when running the Web-SSO module, please refer to this document:
http://technet.microsoft.com/en-us/library/cc755177(v=ws.10).aspx
Follow the instructions for generating a machine key. The instructions are copied from the tech note here for reference.
- Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
- In Features View, right-click Machine Key, and then click Open Feature.
- On the Machine Key page, select an encryption method from the Encryption method drop-down list. The default encryption method is SHA1.
- Choose a decryption method from the Decryption method drop-down list. The default decryption method is Auto.
- Optionally, configure settings for validation and decryption keys.
- In the Actions pane, click Generate Keys, and then click Apply.
Please note that if you are using a Web Farm or cluster, all servers must be configured with the same validation key and validation algorithm.