Working with LDAP and SSO in CourseMill
CourseMill provides the connections to integrate with a customers’ LDAP/AD (Lightweight Directory Access Protocol/Active Directory) configuration to achieve a single sign-on and generate user accounts. Configuration of LDAP/AD typically requires the clients’ Information Technology personnel to work directly with the Trivantis CourseMill programming staff as LDAP/AD configuration can vary based your corporate policy.
Mapping LDAP/AD to CourseMill
Review the configuration settings (listed below) to begin the development of a data map between LDAP/AD and CourseMill. Administrators configure these properties using the Manage Properties task.
| Property |
Description |
Default |
| LDAPAutoAddUsers
|
Specifies whether to allow newly authenticated users to be automatically added to the CourseMill database.
|
0 or No= Prevent new users from being added (default)
1 or Yes = Allow new users to be added
|
| LDAPBase
|
Specifies the base directory lookup string. |
Examples:
OU=User Accounts
DC=US
DC=server
DC=net
|
| LDAPConnectionsSSO
|
Specifies whether you are using LDAP solely for SSO (checking user name and password), but not for importing data. |
Value is Yes or No
|
| LDAPDisplayAsStudentID
|
Specifies which entry in the active directory will be displayed in CourseMill as their student ID. |
Field in ldapLDAPLookup (default)
|
| LDAPDN
|
Specifies the Directory Name entry needed to logon to the active directory. |
Examples:
CN=Administrator
CN=Users
DC=trivantisdevtest
DC=local
|
|
LDAPIgnorePassword
|
Only used in LDAP – only need this when using LDAP with SSO |
Value is Yes or No |
| LDAPLookup
|
Specifies the field in active directory entry to which the user login synchronizes. |
uid (default)
|
| LDAPOrgID
|
Specifies which entry in the active directory maps to the user's Org ID or the default value to use for a new student's Org ID. |
Field in the LDAP directory – if this is blank see the notes below.
|
| LDAPPassword |
The password for Directory Name.
|
|
|
LDAPPort |
Specifies the port to access the Active Directory. |
389 (default)
|
| LDAPServer |
Specifies the Active Directory server (either the IP address or domain name). |
|
|
LDAPSubOrg0 – 15 |
Specifies which entry in the Active Directory maps to the user's Sub-Org values (optional). |
|
|
LDAPUseActiveUser |
Yes = It will only use active LDAP users.
No = It will use all users.
|
Yes or no
|
| LDAPUseJNDI |
Internal setting that tells CourseMill to use the Java
Naming and Directory Interface when performing
Active Directory validations instead of more traditional
lookup methods. |
Yes (default) |
|
-
If the OrgID property is left blank, CourseMill assumes there is only one Org ID in the database
and will load users into that Org ID automatically.
-
If the property is left blank, and there are
multiple Org IDs in the database, CourseMill will not know what organization to put the user in and it will give
you an error.
-
If the user is already in the database under one of multiple orgs, and tries to
authenticate with the Org ID property left blank, the user will still be able to get in – but CourseMill will
not be able to update any information in the user profile.
|
Samples of LDAP Set-up
Example 1
LDAPServer=ldap-mi.server.com
LDAPPort=389
LDAPDN=CN=COURSEMILL-QA,OU=Service Accounts,DC=US,DC=server,DC=net
LDAPConnectionsSSO=no
LDAPPassword=WBT77ygdsdfsdffsdsfdfsa!
LDAPIgnorePassword=no
LDAPBase=OU=User Accounts,DC=US,DC=server,DC=net
LDAPLookup=sAMAccountName
LDAPDisplayAsStudentID=employeeID
LDAPOrgID=company
LDAPAutoAddUsers=true
LDAPUseActiveUser=yes
Example 2
LDAPServer=192.168.0.21
LDAPPort=389
LDAPDN=CN=Administrator,CN=Users,DC=trivantisdevtest,DC=local
LDAPConnectionsSSO=no
LDAPPassword=bocsdfsdasoft
LDAPIgnorePassword=no
LDAPBase=CN=Users,DC=trivantisdevtest,DC=local
LDAPLookup=sAMAccountName
LDAPDisplayAsStudentID=userPrincipalName
LDAPUseActiveUser=yes
Example 3
LDAPServer=ldap-us.server.net
LDAPPort=389
LDAPDN=CN=COURSEMILL-QA,OU=Service Accounts,DC=US,DC=server,DC=net
LDAPConnectionsSSO=no
LDAPPassword=MyPasSwoRd34qwer!
LDAPIgnorePassword=no
LDAPBase=OU=User Accounts,DC=US,DC=server,DC=net
LDAPLookup=sAMAccountName
LDAPDisplayAsStudentID=employeeID
LDAPOrgID=bob
LDAPAutoAddUsers=true
LDAPUseActiveUser=yes
What Happens When A User Logs In
-
When a user enters in their user ID – Coursemill will first attempt to find that userID in Active Directory. If it is not there, the user cannot sign in.
-
If the User ID is correct, then it will check the password that was keyed in to see if it matches the password in Active Directory. If not, the user cannot sign in.
-
If the User ID and Password authenticates in Active Directory, then it checks to see if the user is active in Active Directory. If not, the user cannot sign in.
-
If all attempts to authenticate pass without failure, and the user is not already in the database, then CourseMill will add the user along with the email address, and all sub-org values, if passed by Active Directory.
-
If all attempts to authenticate pass without failure, and the user is in the database, then CourseMill will update the user information with the email address, and all sub-org values, if passed by Active Directory. It will not update any other fields that might have been manually added to that user (permissions, personal info, and so on).
Troubleshooting and Testing
A good tool for testing and troubleshooting the connection strings for LDAP is http://jxplorer.org/ .
Creating a Single Sign-On Solution with CourseMill
This can be accomplished in one of two ways:
-
Creating a single sign-on solution with CourseMill is as simple as passing a user’s username and password to the CourseMill system. These variables, among many others, can be sent to the userlogin.jsp page on the CourseMill server.
If a user is logged into the company intranet or portal, a link to CourseMill can be created that, once clicked, will pull the user’s login information from the intranet or portal and pass that over to CourseMill using either a GET or POST method. An example of passing a user’s credentials using a GET method is as follows:
http://yourcmserver.com/coursemill/userlogin.jsp?user=coursemilluser&password=mypassword &firstname=John&lastname=Smith
By using the above link, it will log John Smith into the CourseMill instance on http://yourcmserver.com.
Below is listed a portion of the userlogin.jsp, displays what parameters can be passed to CourseMill:
-
Using LDAP or SAML, when everything is configured properly, the user gets authenticated against the Active Directory either
through the web browser or through the company’s infrastructure. CourseMill will then pull the
attributes of the authenticated user out of the browser session. In all cases, the work to pull the user’s
credentials is actually accomplished in the userlogin.jsp file by either using SAML Authentication or
using Windows Active Directory Authentication. (When SAML – Security Authentication Markup
Language – is used, the authentication method inserts a SAMLResponse token into the browser session.)
Required Parms:
| user |
User ID of the person to log-in |
| password |
Password of the person to log-in
|
Optional Check For User In Launched Content Parms:
| checkIfUserInContent
|
If this parameter is passed, a check will be made to see if CourseMill can detect whether the user already has launched content open. This parameter overrides all the following optional parameters.
|
Optional Enrollment/Launch Parms:
| courseCurrID |
ID of the course or curriculum to be accessed (if not supplied, no enrollment/launch occurs).
|
| currFlag |
Flag that indicates whether the above field is a curriculum. Default is n.
|
| enrollFlag |
Flag that determines if the student should be auto-enrolled into this curriculum/course. Default is n.
|
| enrollPwd |
Access code for enrollment (if needed).
|
| sessionID |
Session ID (use to specify a particular session of the course for enrollment). This field is ignored if currFlag is set to y.
|
Optional Registration Parms (if enrollment is desired, need to pass firstName, lastName, and orgId ):
| orgId |
Organization to enroll in (if your database has more than one)
|
| firstName |
First name of the user
|
| lastName |
Last name of the user
|
| middleInitial |
Middle initial (if one)
|
| email |
Email (if email is required)
|
| regPwd |
Registration password (if required for organization)
|
| newPwd |
New password if the password is to be changed from the current password
|
| SubOrg0-15 |
The suborg values
|
Optional User Profile Parms:
| fromSC |
Flag that indicates where to go to after login (checkout versus home screen)
|
| address |
The address of the user
|
| city |
The city of the user
|
| state |
The state of the user
|
| zip |
The zip code of the user
|
| country |
The country of the user
|
| phone |
Phone number for the user.
|
| suborg0-15 |
Each of the suborg (example suborg0, suborg1, suborg 2, ….)
|
© Copyright Trivantis Corporation 2015