Activate LMS

Help Center

Single Sign On (SSO) in Activate LMS using User Sync

This article describes the implementation and configuration process of the Single Sign On module provided by Activate LMS that will provide a user friendly and seamless sign in with 3DES encryption. Please note that this requires assitance from an Activate LMS consultant and cannot be done single handedly. If you haven't been in contact with one of our consultants yet, please contact us on support@acitvatelms.com to hear more. In the following flowchart you can get a quick overview of what happends when one of your users logs in to your Activate LMS from an on-site device. In the example there's been set up user sync with AD.

WhatHappendsWhenAnOnSiteUserLogsIn.PNG

The configuration of an SSO using user sync requires assistance from an Activate LMS consultant, so please contact us using this form to get in contact with us.

 

Requirements

The table below describes the technical requirements of our SSO module environment.

Server & IIS Version

Windows Server 2008

IIS 7.0

Programming language

.Net 4.0

IIS settings

Set Integrated Windows Authentication to “enabled”.

Set Anonymous access to “disabled”.

IIS Server can deliver a simple HTML page

IIS Server can deliver a simple ASP page

IIS Server can deliver a simple ASPX page

Will code be compiled or not compiled

Compiled

Will package run on its own site or as a page on an existing site

It wil run on its own site. Must be configured as a standard site.

Location / name of web.config file (this file will contain variables and parameters that can be changed)

Root folder / web.config

Login credentials

Login credentials are by default created based on the AD field “sAMAccountName”.

AD integration

If “sAMAccountName” is used, to generate login credential then there is no need for AD integration. For other fields the SSO module must be placed on the same server as the AD and must be able to query the AD.

 

Configuration

Follow these steps to set up the IIS on your server to support the SSO module. Depending on your Windows Server version you might experience differences in the IIS layout.

  1. Add a new application pool, e.g. “ActivateSSO Website”, in IIS.



  2. Now we must set the application pool to .Net 4, you can double click on your newly application pool to edit this.

     

  3. Now it's time to add website. You can do this by right clicking on Sites and selection Add Website.

  4. Specify the information to your needs. Please note that "mydomain" part of the hostname should correspond to your intranet domain, i.e. be the same as the one your employees’ PCs are using. Alternatively, you need to configure your browsers to trust the domain your server is located on.



  5. Now back in the right hand panel of the IIS Manager, click Advanced Settings.

     

  6. Now you can verify that the website is running on the correct application pool.



  7. When the web site is created, it is crucial that authentication is correctly configured. This is required for the SSO module to be able to retrieve user identity. In the Features View double click the Authentication page in the server manager.



  8. Now enable Windows Authentication and disable Anonymous Access. If Windows authentication is not listed then please follow the IIS setup guide here: http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication


  9. Once the IIS application pool and website is configured, then go to the selected root folder and move the provided SSO module code package to that folder.

  10. Then configure the security settings for the root folder, in the folders preferences > 1. & 2. Security  > 3. find IISUSR and 4. grant read, write and execute permissions. You may want to verify setting on c:\inetpub\wwwroot.

    2017-11-18_14-23-21.png

  11. Now go to your domain name/URL to test the setup. Set displayDebug to "true" in the web.config file if it is not already. For more details on web.config configuration, see next section.

 

Web.config configuration

The SSO module is configurable through the web.config file in the root folder of the website. All configurable settings are located in the <AppSettings> node of the config file. The below table lists the available settings, along with a description of their scope and examples of valid values.

Most settings are provided by Activate LMS and are summarized in the next section.


Please Note: Never comment out a key or remove it, this might trigger the SSO module to fail. If a value is not needed, you should rather set the value to be empty, i.e. "".


 

Key

Purpose

Value example

lmsLoginUrl

The Activate LMS main URL page, used to generate the login URL.

http://www.ActivateLMS.com

requestTimeoutDelay

Single Sign-On allowed request delay, in seconds. Used to state how long the created login URL is valid.

400

100

40

companyName

SSO company name. Must match the company name set up in your Activate LMS.

Activate

companyname

securityToken

SSO security token. Must match the security token set up in Activate LMS.

Activatesso

ssocompanyname

secretword

key

SSO security key, used for 3DES encryption of login credentials. Must be 24 characters and match the security key set up in

2B7681b55F034767E98ce5A7

Af2625115560DC817261DA65

B516EAeE06AB9FD7F799B06E

domainName

AD domain name on server, used to create lookup query if another field then sAMAccountName is used to generate login credentials.

eff

abc

domainUserNameField

Active Directory User Name field used to generate login credentials. If left empty sAMAccountName is set to default and no AD lookup is required.

sAMAccountName
mailNickName

displayDebug

Set this to true to enable view of debug parameters, during implementation and test phase. Set to false when Activate LMS and the SSO goes live.

True

False

testUser

Use this parameter to verify that Activate LMS is set up correctly. Set the value to a user that exists in Active Directory to validate that the SSO component on the Activate LMS side works.

Please note that if a username is set here it will overwrite the user that is being fetched from the Active Directory. Set this value to "" when done verifying that Activate LMS is set up correctly.

akl
RIF2
JaneDoe

 

 

Activate LMS Configuration

Your Activate LMS consultant will handle this section. It defines the SSO related information stored in Activate LMS. Highlighted values should correspond to the settings in the SSO module web.config file.

Token

Token should be changed to something more secure before go-live. Sometimes also named tklogin_key

xxxxsso

3DES Key for SSO

Must be exactly 24 alphanumeric characters. For security, you should change this when system goes live.

3DESKEY

Username and Password
Users will be prevented from changing their own password. An administrator can change username as well as set password if needed. Passwords cannot be exported from the system.

All users’ passwords must be set to the same as their username. This is to be done in the user base data import routine so that a new user’s password is set to their username. It is possible to include a column in the user base data import file called PASSWORD. Set the value to the same as the users USERNAME.

It is the client’s responsibility to ensure user data file from HRIS is updated with new column.

 

expire

To be set dynamically. Format:
yyyy-MM-ddTHH:mm:ss. Timestamp with current date & time + 6000 seconds.

 

In Activate LMS

 

Sample value:

2012-12-31T23:00:00

For testing, expiration will not be used. In Activate LMS the threshold will be set to -1 (= does not expire).

Activate LMS Environment

http://www.ActivateLMS.com

http://learning.companyABC.com

Expiry of SSO Request (in seconds): 

The expiration is how long the URL is good for.   -1 means forever. A typical value is 30-60.

This will be -1 in first development phase. Can be changed later on.

 

Other useful information

Login string example

This is a sample login string (not functional, for example only).

https://www.ActivateLMS.com?tklogin_key=delhaizeT&company=delhaizeT&username=CgnYo7AywfUfrFDvxOJq9w%3D%3D&password=ZnKtYdLW9qM%3D&expire=PCJi7CCIc4PdHFBlNE3UWWfZrKJL0BA

 

Debugging

Below screenshot shows, what the SSO login page should look like when debugging is set to "true". If you wish change the layout of the pages please edit the default.aspx file and the style.css file. The logo in the top left hand corner is located in the images subfolder and is named Logo.png.

 

Tasks

Overview

  1. Activate LMS and your company discuss and agree on options and encryption keys
  2. Your company installs and perform test on your company's site
  3. your company coordinate with the Activate LMS implementation consultant to turn on SSO on the Activate LMS side and verify it is working.

Activate LMS will be standing by to support your company in any question regarding the delivered code.

All questions & configuration related to the Activate LMS side will be handled by the Activate LMS consultant.

 

Summary of tasks to be done by your company

  • Participate in discussion with Activate LMS mentioned above 1)
  • Coordinate own technical resources
  • Install files on local servers for SSO test to Activate LMS
  • Modify files as needed (e.g. if different user object location to be used for retrieving user identifier)
  • Coordinate with Activate LMS implementation consultant regarding testing SSO on Activate LMS production instance

Coordinate with Activate LMS technical consultant regarding configuration updates, code changes

 

Troubleshooting

Credentials are not passed on to IIS (You are not authorized/authenticated)

Solution: Either move your server to the intranet DNS domain (recommended), or reconfigure your browser.

This is how you reconfigure your browser:

Internet Explorer

Check that the ActivateSSO.<yourcompany.com> server is recognized as being in the “Intranet” zone or “Trusted”.

For IE 8 and below you can see the zone in the status bar at the bottom of the window.
For IE 9 and above, choose File->Properties to see what “Zone” you are in.

If the ActivateSSO server is listed as being in the “Internet” zone, then credentials will not be passed on and SSO will not work.

Reconfigure your browser by adding ActivateSSO.<yourcompany.com> as an intranet or trusted zone in IE. This is done via Tools -> Internet Options -> Security -> Click on “Local Intranet” -> Sites- > Advanced and add your ActivateSSO server:



Firefox

Write "About:config" in the address bar and accept the warning that pops up.

Edit the parameter "network.automatic-ntlm-auth.trusted-uris" and add the DNS domain name of the ActivateSSO server.



IIS Error: Validation of viewstate MAC failed

If you see the below error on the Microsoft Internet Information Server (IIS) when running the Web-SSO module, please refer to this document:

http://technet.microsoft.com/en-us/library/cc755177(v=ws.10).aspx

Follow the instructions for generating a machine key. The instructions are copied from the tech note here for reference.

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
  2. In Features View, right-click Machine Key, and then click Open Feature.
  3. On the Machine Key page, select an encryption method from the Encryption method drop-down list. The default encryption method is SHA1.
  4. Choose a decryption method from the Decryption method drop-down list. The default decryption method is Auto.
  5. Optionally, configure settings for validation and decryption keys.
  6. In the Actions pane, click Generate Keys, and then click Apply.

Please note that if you are using a Web Farm or cluster, all servers must be configured with the same validation key and validation algorithm.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk