Working with LDAP and SSO
CourseMill provides the connections to integrate with a LDAP/AD (Lightweight Directory Access Protocol/Active Directory) configuration to achieve a single sign-on and generate user accounts.
Configuration of LDAP/AD typically requires the clients’ Information Technology personnel to work directly with the ELB Learning CourseMill programming staff as LDAP/AD configuration can vary based your corporate policy.
Mapping LDAP/AD to CourseMill
To begin the development of a data map between LDAP/AD and CourseMill, configure these LDAP-related properties.
For details about configuring properties, see Adding and managing properties.
| Property |
Description |
Default |
| LDAPAutoAddUsers
|
Specifies whether to allow newly authenticated users to be automatically added to the CourseMill database.
|
0 or No= Prevent new users from being added (default)
1 or Yes = Allow new users to be added
|
| LDAPBase
|
Specifies the base directory lookup string. |
Examples:
OU=User Accounts
DC=US
DC=server
DC=net
|
| LDAPConnectionsSSO
|
Specifies whether you are using LDAP solely for SSO (checking user name and password), but not for importing data. |
Value is Yes or No
|
| LDAPDisplayAsStudentID
|
Specifies which entry in the active directory will be displayed in CourseMill as their student ID. |
Field in ldapLDAPLookup (default)
|
| LDAPDN
|
Specifies the Directory Name entry needed to logon to the active directory. |
Examples:
CN=Administrator
CN=Users
DC=trivantisdevtest
DC=local
|
|
LDAPIgnorePassword
|
Only used in LDAP – only need this when using LDAP with SSO |
Value is Yes or No |
| LDAPLookup
|
Specifies the field in active directory entry to which the user login synchronizes. |
uid (default)
|
| LDAPOrgID
|
Specifies which entry in the active directory maps to the user's Org ID or the default value to use for a new student's Org ID.
|
-
If the OrgID property is left blank, CourseMill assumes there is only one Org ID in the database
and will load users into that Org ID automatically.
-
If the property is left blank and there are
multiple Org IDs in the database, CourseMill will not know what organization to put the user in and it will give
you an error.
-
If the property is left blank and a user - already in the database under one of multiple organizations - tries to
authenticate, the user will still be granted access, but CourseMill will
not be able to update any information in the user profile.
|
|
Field in the LDAP directory – if this is blank see the notes below.
|
| LDAPPassword |
The password for Directory Name.
|
|
|
LDAPPort |
Specifies the port to access the Active Directory. |
389 (default)
|
| LDAPServer |
Specifies the Active Directory server (either the IP address or domain name). |
|
|
LDAPSubOrg0 – 15 |
Specifies which entry in the Active Directory maps to the user's Sub-Org values (optional). |
|
|
LDAPUseActiveUser |
Yes = It will only use active LDAP users.
No = It will use all users.
|
Yes or no
|
| LDAPUseJNDI |
Internal setting that tells CourseMill to use the Java
Naming and Directory Interface when performing
Active Directory validations instead of more traditional
lookup methods. |
Yes (default) |
Example configurations
Example 1
LDAPServer
LDAPPort
LDAPDN
LDAPConnectionsSSO
LDAPPassword
LDAPIgnorePassword
LDAPBase
LDAPLookup
LDAPDisplayAsStudentID
LDAPOrgID
LDAPAutoAddUsers
LDAPUseActiveUser
|
ldap-mi.server.com
389
CN=COURSEMILL-QA,OU=Service Accounts,DC=US,DC=server,DC=net
no
WBT77ygdsdfsdffsdsfdfsa!
no
OU=User Accounts,DC=US,DC=server,DC=net
sAMAccountName
employeeID
company
true
yes
|
Example 2
LDAPServer
LDAPPort
LDAPDN
LDAPConnectionsSSO
LDAPPassword
LDAPIgnorePassword
LDAPBase
LDAPLookup
LDAPDisplayAsStudentID
LDAPOrgID
LDAPAutoAddUsers
LDAPUseActiveUser
|
192.168.0.21
389
CN=Administrator,CN=Users,DC=trivantisdevtest,DC=local
no
bocsdfsdasoft
no
CN=Users,DC=trivantisdevtest,DC=local
sAMAccountName
userPrincipalName
yes
|
Example 3
LDAPServer
LDAPPort
LDAPDN
LDAPConnectionsSSO
LDAPPassword
LDAPIgnorePassword
LDAPBase
LDAPLookup
LDAPDisplayAsStudentID
LDAPOrgID
LDAPAutoAddUsers
LDAPUseActiveUser
|
ldap-us.server.net
389
CN=COURSEMILL-QA,OU=Service Accounts,DC=US,DC=server,DC=net
no
MyPasSwoRd34qwer!
no
OU=User Accounts,DC=US,DC=server,DC=net
sAMAccountName
employeeID
bob
true
yes
|
What happens when a user logs in
-
When a user specifies his or her user ID, Coursemill will first attempt to find that user ID in Active Directory. If it is not there, the user cannot sign in.
-
If the user ID is correct, then CourseMill will check the password that was keyed in to see if it matches the password in Active Directory. If not, the user cannot sign in.
-
If the user ID and password authenticate in Active Directory, then CourseMill checks to see if the user is active in Active Directory. If the user is not active, the user cannot sign in.
-
If all attempts to authenticate pass without failure, and the user is not already in the database, CourseMill will add the user along with the email address, and all sub-org values, if passed by Active Directory.
-
If all attempts to authenticate pass without failure, and the user is in the database, then CourseMill will update the user information with the email address, and all sub-org values, if passed by Active Directory. It will not update any other fields that might have been manually added to that user (permissions, personal info, and so on).
Troubleshooting and testing
A good tool for testing and troubleshooting the connection strings for LDAP is http://jxplorer.org/ .Use the Help provided for details about using the tool.
Creating a single sign-on solution with CourseMill
You can create a single sign-on with CourseMill in one of two ways:
-
Creating a single sign-on solution with CourseMill is as simple as passing a user’s username and password to the CourseMill system. These variables, among many others, can be sent to the userlogin.jsp page on the CourseMill server.
If a user is logged into the company intranet or portal, a link to CourseMill can be created that, once clicked, will pull the user’s login information from the intranet or portal and pass that over to CourseMill using either a GET or POST method. An example of passing a user’s credentials using a GET method is as follows:
http://yourcmserver.com/coursemill/userlogin.jsp?user=coursemilluser&password=mypassword &firstname=John&lastname=Smith
By using the above link, it will log John Smith into the CourseMill instance on http://yourcmserver.com.
Below is listed a portion of the userlogin.jsp, displays what parameters can be passed to CourseMill:
-
Using LDAP or SAML, when configured properly, the user gets authenticated against the Active Directory either
through the web browser or through the company’s infrastructure. CourseMill will then pull the
attributes of the authenticated user out of the browser session. In all cases, the work to pull the user’s
credentials is actually accomplished in the userlogin.jsp file by either using SAML Authentication or
using Windows Active Directory Authentication. (When SAML – Security Authentication Markup
Language – is used, the authentication method inserts a SAMLResponse token into the browser session.)
Required parameters:
| user |
User ID of the person to log-in |
| password |
Password of the person to log-in
|
Optional check for user in launched content parameters:
| checkIfUserInContent
|
If this parameter is passed, a check will be made to see if CourseMill can detect whether the user already has launched content open. This parameter overrides all the following optional parameters.
|
Optional enrollment/launch parameters:
| courseCurrID |
ID of the course or curriculum to be accessed (if not supplied, no enrollment/launch occurs).
|
| currFlag |
Flag that indicates whether the above field is a curriculum. Default is n.
|
| enrollFlag |
Flag that determines if the student should be auto-enrolled into this curriculum/course. Default is n.
|
| enrollPwd |
Access code for enrollment (if needed).
|
| sessionID |
Session ID (use to specify a particular session of the course for enrollment). This field is ignored if currFlag is set to y.
|
Optional registration parameters (if enrollment is desired, need to pass firstName, lastName, and orgId ):
| orgId |
Organization to enroll in (if your database has more than one)
|
| firstName |
First name of the user
|
| lastName |
Last name of the user
|
| middleInitial |
Middle initial (if one)
|
| email |
Email (if email is required)
|
| regPwd |
Registration password (if required for organization)
|
| newPwd |
New password if the password is to be changed from the current password
|
| SubOrg0-15 |
The suborg values
|
Optional user profile parameters:
| fromSC |
Flag that indicates where to go to after login (checkout versus home screen)
|
| address |
The address of the user
|
| city |
The city of the user
|
| state |
The state of the user
|
| zip |
The zip code of the user
|
| country |
The country of the user
|
| phone |
Phone number for the user.
|
| suborg0-15 |
Each of the suborg (example suborg0, suborg1, suborg 2, ….)
|
Support | About ELB Learning
© ELB Learning 2022