Search

Centrify Single Sign-On (SSO) Integration Guide

Gretchen
Gretchen
  • Updated

This guide explains how to set up Centrify Single Sign-On (SSO) so your users can access Emtrain with their existing login credentials, rather than a separate login process.

Requirements

These are the requirements for using the Centrify/Emtrain SSO integration:

  • An active Emtrain account.
  • A unique email address for every user.
  • An active Centrify account.
  • A valid email address for all users in Centrify.
  • The API key for your account: Obtain your API key by navigating to Site Config from the Manage Menu. Select the Integrations tab and then the option to Enable SSO.

Each of your users’ email addresses in Emtrain must match their primary email address in Centrify.

Once you save the integration, username and password authentication will be disabled on your Emtrain account. This means that when you or your team members go to access your Emtrain account, you'll be redirected to complete the SSO authentication process instead of entering a username and password.

This change happens immediately after you complete the integration setup, so make sure your team is prepared for the new login process.

The SSO integration uses the SAML 2.0 protocol. Setup of the integration consists of creating a custom SAML web app in Centrify, taking the Centrify Single Sign-On URL and X.509 Certificate generated for the custom SAML web app and entering these into the SSO configuration form on the Emtrain account.

Creating the Custom SAML Web Application

Access the Web Apps section in your Centrify Admin Portal and add a new custom SAML application:

  1. In the Dashboard of your Centrify Admin Portal, select the Apps menu. Select the Web Apps option from the Apps menu.
    Centrify1.png
  2. Select the Add Web Apps button.
    Centrify2.png
  3. On the Add Web Apps dialogue, select the Custom tab. Find the SAML Template and select the Add button.
    Centrify3.png
  4. Select Yes when asked "Do you want to add this application?"
    Centrify4.png

Settings

Configure the basic application details including name, description, and logo for your Emtrain SAML integration: 

  1. On the Settings page, enter "Emtrain" in the Name field.
  2. Enter a relevant description in the Description field.
  3. Upload an Emtrain logo for the Logo.
  4. Select the Save button.
    Centrify5.png

Trust

Select the Trust link in the application sidebar to open the Trust configuration. On this page you will obtain some information needed to enable SSO on your Emtrain account:

Identity Provider

  1. In the Identity Provider section, select the Manual Configuration radio button.
  2. Copy the Single Sign-On URL.
  3. Download the SHA265 Tenant Signing Certificate.
    Centrify6.png

Keep this information handy. You will need to use this information later when configuring your Emtrain account to use the SAML web application.

Service Provider Configuration

Before starting this step, construct these following account-specific URLs by replacing the code-formatted sections with the appropriate details from your Emtrain account:

  • SP entity ID/Issuer/Audience: https://yourcompany.app.emtrain.com/home
  • Assertion Consumer Service (ACS) URL: https://yourcompany.ai-api.emtrain.com/authentication/saml?API_KEY=[your account API key]
  • Relay State: https://yourcompany.app.emtrain.com/saml
  1. Scroll down to the Service Provider Configuration section and select the Manual Configuration radio button.
  2. Enter each of the URLs you constructed in the previous step into their corresponding field.
  3. For the Recipient field, leave the "Same as ACS URL" checkbox checked.
  4. Select the Save button.
    Centrify7.png

SAML Response

Create the required SAML attributes that will pass user information from Centrify to Emtrain during authentication.

The attribute names are case-sensitive, so enter them as displayed in the steps shown below!

  1. Select the SAML Response link in the application sidebar to start creating the custom SAML attributes used in the SAML workflow.
  2. Select the Add button.
    Centrify8.png
  3. Create the API_KEY attribute. This attribute takes a static value—your Emtrain account API key—so simply paste that in the text field. Use all capital letters when entering the Attribute Name.
  4. Create attributes for the 3 fields: Email, FirstName, and LastName, and map the Attribute Values to the appropriate LoginUser field. Refer to the table below for the exact values.
    Centrify9.png
  5. When you've created all 4 attributes, select the Save button.
    Centrify10.png

SAML attribute reference

These attributes map specific user data fields between your Centrify and Emtrain accounts.

Attribute Name Attribute Value
API_KEY Your Emtrain account’s API key.
Email LoginUser.Email: Select Email from the LoginUser dropdown menu.
FirstName LoginUser.FirstName: Select FirstName from the LoginUser dropdown menu.
LastName LoginUser.LastName: Select LastName from the LoginUser dropdown menu.

Permissions

Select the Permissions link in the application sidebar to add the SAML web app you just created to your set of test users. This step is not necessary, but it helps prepare you for testing the application once your Emtrain account has been configured to use the SAML web app.

  1. Select the Add button.
    Centrify11.png
  2. Select any users, groups, and/or roles that you plan to use for testing, then select the Add button.
    Centrify12.png

Enabling SSO in Your Emtrain Account

Configure your Emtrain account to accept Centrify SAML authentication by entering the certificate and Single Sign-On URL from your Centrify application: 

  1. Log in to your Emtrain account as your Account Administrator user.
  2. Navigate to Site Config via the Manage menu.
  3. Select the Integrations tab.
  4. Check the box to Enable SSO.
  5. Select Centrify as the SSO provider.
    Centrify13.png
  6. Paste the contents of the certificate in the Certificate text field. Include only the certificate values. Do not include the “Begin” and “End” content: ---BEGIN CERTIFICATE--- and ---END CERTIFICATE---
  7. Paste the Centrify Single Sign-On URL value into the SSO Entry Point text field.
  8. Optionally, if you wish to redirect your users to a specific URL when they log out of Emtrain, enter that URL in the SSO Logout Redirect URL text field. If this field is left blank, users will be redirected to an Emtrain Logged Out page upon logging out.
  9. Select the Save button to finalize the integration.
    Centrify14.png

We offer Just-in-Time (JIT) provisioning, which works with SSO. This enables automatic user profile creation the first time a user logs into Emtrain via SSO. Learn about Just-in-Time Provisioning with SSO.

Testing SSO

Verify that users can successfully authenticate through Centrify and access their Emtrain account:

  1. In Centrify, assign the application to the test user(s) if you have not already done so.
  2. In Emtrain, create user(s) with the same email address as the test user(s). The email address is used as the identifier to match the email address on the SAML assertion to a user on the Emtrain account and must match in both platforms.
  3. The test user should test the application tile in their Centrify SSO portal and verify that they are logged in to Emtrain as their test user.
  4. The test user should open a new Incognito/Private browsing session and visit the Emtrain account home URL. The user should be redirected to the Centrify SSO URL and prompted to log in to their Centrify account.
    Centrify15.png
  5. After logging into Centrify, the user should be redirected to Emtrain.

How Users Log into Emtrain

Be sure to assign the Emtrain app to all users via Centrify. We recommend working with your IT team to assign access just before you deploy training (e.g. fewer than 12 hours prior) to prevent users from exploring Emtrain too soon.

As long as users are signed into your SSO, they can access Emtrain:

  • Through the Emtrain tile in your Single Sign-On access panel.
  • Via links in notification emails.
  • From your account URL.

If a user isn’t yet signed into SSO, they’ll be redirected to your SSO login.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request