Avendoo® online documentation

Login via Single Sign-On (SSO)

Use

Users can login to Avendoo® via Single Sign-On (SSO) without entering user name and password. The authentication consists of two checks – which user wants to login and is this user permitted to login to this resource. The authentication happens once at a central point, by logging-in at the working place for example, and not again additionally when calling Avendoo® via the login page.
This uniquely sign on and the further use of programs like Avendoo® is called as Single Sign-On (SSO).

The learner access then an URL to the Avendoo® system for SSO to which will be then information for the SSO configuration added. The learner doesn’t see after that not the login page of Avendoo®, but he/she is directly on the start page in the user’s frontend. A service could be the Avendoo® system for example.
“Being globally logged-in” means that the user is authenticated and logged-in in an environment. An example for such an environment is the Windows domain. Thus SSO enables the access to a service by checking the authenticating of the accessing user via Identity Provider (IDP). The Active Directory Federation Services (ADFC) is an example for an IDP.

Avendoo® supports the following SSO technologies:

  • Security Assertion Markup Language 2.0 (SAML2) and
  • OpenID Connect.

On this page the SSO technologies SAML2 and OpenID Connect are described.

Prerequisites

Regarding the SSO configurations and IDPs there can be system wide in Avendoo® only one SSO configuration to which are different IDPs assigned and stored. We recommend to define only one standard IDP per client. Therefore the author enters a value in the field Identity Provider Id, this means the prefix of the SSO configuration in the Client wizard on the tab Options.

Note

Note that if you use SAML2, the prefix is the part of the string, which is before the point of the single configuration lines.
Example of a configuration line:
“adfs2.ssoDestinationRedirect=https://URLIPD.de/adfs/ls/”
Thus “adfs2” is the prefix of the SAML2 SSO configuration.

Quick instruction for SSO per SAML2

The SSO interface has been realized with the so called Security Assertion Markup Language 2.0 (SAML2). This is a protocol to exchange authentication and authorization information between two proven systems. The SAML protocal is based on XML.

Note

Please talk about the exact structure of the SSO XML and the basics for the use with your project manager.

The user who logs into the Learning world via SSO authenticates via a certain attribute from the user data. Either he authenticates against the field “Login” or the field “IDPUserID”.

Note

Please note the bundle field, because the combination should be unique. Idpid is the configuration prefix of the IDPs in the system setting “saml.configuration”.

Open SSO link

The SSO link is called by the user via the browser, this means the link to Avendoo® system plus information about the SSO parameters.

Since Avendoo® version 17.57 you can use the language parameter “siteLanguage” in the SSO link. Thus this link can be  l”/l/openid/oidc?&siteLanguage=de” for German as language parameter.

Redirect to the IDP

The user will be redirected to his/her IDP by interpreting the SSO attribute.

Confirm SAML response

If the end user is a user, the IDP confirms by using a signed SAML response that the user is globally logged-in and there exists a session with the IDP.

If the user is currently not logged-in (to the IDP), several IDPs can check also login data. This can be relevant if the Avendoo® system is opened via SSO during transport or from home office.

Execute login

The SAML response is routed to the Avendoo® system and evaluated via the browser of the user. Then there will be a login and finally the user’s frontend is shown.

Quick instruction for SSO via OpenID Connect

The author creates the OpenID Connect configuration with the help of the SSO and import configuration. This enables the browser to check (=SSO) the identity of the end user, based on the authentication executed by an authorization server (analog to IDP) and to receive basic profile information about the end user for example. Thus can be created also a user data set besides SSO via OpenID Connect, if there is no user data set existing when the access happens in Avendoo®.

General information about OpenID Connect

Open SSO link

The user opens the SSO link via the browser, this means the link to the Avendoo® system plus information about the SSO parameters.

Redirect to IDP

The user is redirected to his/her IDP by interpreting the SSO attribute.

Note that via the option Check IDP provider ID (sub tab Attribute assignment of the tab Configuration in the wizard SSO and Import Configuration) only users with this configuration can login, if their identity provider ID matches. If you don’t want this check, please deactivate this check mark in the wizard SSO and Import Configuration.

IDP confirms global login and redirects to IDP

If the user has been already authenticated on the IDP, the IDP confirms that the user is globally logged-in and there exists a session with the IDP.

Then the user is redirected to Avendoo®. Avendoo® and the IDP communicate for exchanging user data and executing the Avendoo® login.

Execute login

If the user is currently not logged-in (to the IDP), several IDPs can acess to user data. This can be relevant when opening the Avendoo® system via SSO during transport or from home office.

Avendoo® and the IDP communicate for exchanging user data and executing the Avendoo® login into the user’s frontend.