Summary
This document will guide you through the steps to provide Multi-factor authentication and Single-Sign-On to Saba, a learning management system (LMS), using PhenixID Authentication Services.
System Requirements
- PhenixID Authentication Services 2.8 or higher
- Saba administrator account credentials
Instruction
1. Set up PhenixID Authentication Services as SAML IdP
- Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
Make sure the User identifier attribute is set to the attribute where the mail address is stored. - Download the SAML IdP metadata to a file named idp.xml
2. Configure Saba
-
- Login to with your Saba administrator account.
- Click Security in the admin console.
- Open System->SAML SSO Setup
- Click Setup SAML SSO
- Select microsite.
- Click Add and Configure
- Upload the idp.xml metadata file.
- Choose Configure SP tab.
- Select Basic and enter a entity alias value
- Click on Generate.
- Click on the Configure Properties tab
- Enable SAML SSO to true.
- Save
- Go to SAML SSO Setup
- Select your site
- Copy the Saba endpoint url value
- Construct the Saba entityID value by replacing subdomain and entity alias:
https://<subdomain>.sabacloud.com/Saba/saml/SSO/alias/<entity_alias_from_previous_step>
3. Add Saba SAML SP Metadata to PhenixID Authentication Services
- Create Saba SAML SP Metadata XML file. Use the template data below. Replace “ENTITY_ID” with the entityID constructed in previous step.
Replace “ASSERTION_CONSUMER_LOCATION with the saba endpoint URL fetched in previous step.
Place the text in a file using a text editor and save it as a xml file.<?xml version="1.0" encoding="UTF-8"?> <EntityDescriptor entityID="ENTITY_ID" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="ASSERTION_CONSUMER_LOCATION"></AssertionConsumerService> </SPSSODescriptor> </EntityDescriptor>
- Example metadata:
<?xml version="1.0" encoding="UTF-8"?> <EntityDescriptor entityID="https://mydomain.sabacloud.com/Saba/saml/SSO/alias/myDomainAlias" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mydomain.sabacloud.com/Saba/Web/mydX"></AssertionConsumerService> </SPSSODescriptor> </EntityDescriptor>
- Example metadata:
- Upload the metadata file using this Federation Scenario.
Test
- Open a web browser
- Browse to your Saba subdomain
- You should be redirected to the Idp (PhenixID Authentication Services)
- Authenticate
- You should be redirected back to G Saba
- You are now logged in to G Saba.
Troubleshooting
Use the SAML Tracer addon for Firefox to debug and trace the SAML messages.
Check PhenixID logs/server.log for errors.
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
PhenixID - support.phenixid.se