Technical Requirements and Troubleshooting
  1. ELB Learning Knowledge Base
  2. Rehearsal
  3. Technical Requirements and Troubleshooting

Rehearsal: SSO Overview

An overview of SSO integration with the Rehearsal platform

Section 1: Introduction

This document’s purpose is to provide key information regarding the integration points between the Rehearsal platform and a customer’s SSO security domain using SAML 2.0.

Section 2: SSO Integration Options and User Information

When integrating SSO with Rehearsal there are a couple of initial decisions that need to be made regarding information that will be passed between the systems. Our SSO integration allows you to provide basic user information for authentication and optionally the ability to pass additional information that can be used to configure the system automatically.

Section 2.1: Basic User Information (Required)

The basic user information required by the rehearsal system is as follows:

  • Email Address
  • First Name
  • Last Name
  • EmployeeID (or unique ID of employee)

Section 2.2: Additional User Information

Additional user information can be passed to enhance reporting, searching, and overall user management.

The additional information is as follows:

  Title     title of the user 
  Country     country of the user  
  Region     region of the user  
  Territory     territory of the user  
  Department     department of the user  
  Location     location of the user  

 

 

 

 

 

Section 2.3: User Relationships

The Rehearsal platform allows you to pass additional information regarding group membership and mentoring relationships. This is NOT required and can also be set up at a later date.

User Specific Mentors The Rehearsal platform allows you to pass email addresses of users or Employee ID's (also known as Enterprise ID or World Wide ID) that have been provided using the NameID assertion that should be set up as a User Specific Mentors of the user.
Mentee of Users These are users who will be setup as a mentee of the user.
Mentor of Users

These are users who will be setup as a mentor for the user.

Important: Users must have an account within the Rehearsal platform prior to logging in unless Automatic User Provisioning is enabled.

 

 

Group Membership
The Rehearsal platform allows you to pass group names where the user should be added. You have two options for group membership.
Member of Groups
These are groups where you want the user added as a learner.
Mentor of Groups
These are groups where you want the user added as a mentor.

Note: Groups are automatically created if they don't exist in the Rehearsal site ahead of time.

Section 2.4: Relationship Claims

Your SSO Integration will only add the details under specific claims affected and how they will work with your integration.

Member of The platform will add the user as a learner to the listed groups, however it will not remove the user from any other groups.
Mentor of The platform will add the user as a mentor to the listed groups, however it will not remove the user as a mentor from any other groups.
User Specific Mentors The platform will add the additional user specific mentors to the user's profile, however it will not remove existing user specific mentor.

Section 2.5: User Tags

The Rehearsal system allows you to pass any additional information regarding the user and will add the information as tags for the user. Passing additional information is NOT required and can also be set up at a later date.

As an example, you can pass Country, Department, Title, and the system will create a tag for each (Country:US, Departments:Sales, Title:Account Manager respectively). Passing multiple tags requires additional configuration prior to launch to identify the SAML Attributes that will translate to unique tags.

Section 3.0: SSO Configuration and Testing Process

This section outlines the general SSO process we will follow to get your Rehearsal site configured for SSO and tested.

   1. Initial Meeting  
  • Discuss the Rehearsal SSO configuration.
  • Technical teams to discuss needs and ask questions.
   2. Staging Configuration  
  • Rehearsal creates staging site.
  • Rehearsal provides staging site SAML metadata to customer.
  • Customer adds Rehearsal as Service Provider in SSO system.
  • Customer provides SSO staging configuration data to Rehearsal.
   3. Staging Test  
  • Customer tests the Staging Site with 3-5 users.
  • Rehearsal verifies configuration with customer.
   4. Production Configuration  
  • Rehearsal provides production site SAML metadata to customer.
  • Customer adds Rehearsal as Service Provider in SSO system.
  • Customer provides SSO production configuration data to Rehearsal.
   5. Go-Live  
  • Customer establishes a go-live time/date.
  • Customer conducts an immediate test upon go-live.

Section 4.0: SAML Assertion

Section 4.1: Subject Element

SAML assertions with Rehearsal are made about a subject, represented by the <saml:Subject> element in the assertions which identifies the authenticated principal. This element contains the <saml:NameID> element, which should be a unique property of the user that will never change. An employee ID is a good candidate for this property.

Example SAML assertion showing the <saml:NameID> element:

<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XXMLSchema"
ID="_d71a3aBe9fcc45c9e9d248ef7049393fc8f04e5f75"
Version="2.0"
IssueInstant="2004-12-05T09:22:05Z">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
...

Note: The SAML assertion above is truncated and for illustrative purposes only. Yours may differ.

Section 4.2: Supported Attribute Assertions

A SAML attribute assertion contains information about a user in the form of a series of attributes.

Important: The emailaddress attribute is required by Rehearsal and ALL
attribute assertion keys must be lowercase. The only exception is the subject which is 'NameID'.

Attribute Key

Usage

Example Value

emailaddress

  • email address of the user
  • Accepts a single valid email string
sam.jones@rehearsal.com

firstname

  • First Name of the user
  • Accepts a single string
Sam

lastname

  • Last Name of the user
  • Accepts a single string
Jones

title

  • Title of the user
  • Accepts a single string
Client Services

country

  • Country of the user
  • Accepts a single string
US

region

  • Region of the user
  • Accepts a single string
West

territory

  • Territory of the user
  • Accepts a single string
Northwest

department

  • Department of the user
  • Accepts a single string
CS

location

  • Location of the user
  • Accepts a single string
Reno

menteeofusers

  • Email Addresses of users that are specific mentors of the user
  • Accepts a string of comma separated email addresses
  • Rule: If a user specific mentor is not present the user is created in the system
mentee1@rehearsal.com

mentorofusers

  • Email Addresses of users that are specific mentees of the user
  • Accepts a string of comma separated email addresses
  • Rule: If a user specific mentor is not present the user is created in the system
mentee2@rehearsal.com

memberofgroups

  • Groups where the user is to be added as a learner of the group
  • Accepts a string of comma separated group names
  • If a group doesn’t exist the group will be created in the system
GroupNameB, GroupNameC

mentorofgroups

  • Groups where the user is to be added as a mentor of the group
  • Accepts a string of comma separated group names
  • If a group doesn’t exist the group will be created in the system
GroupNameA

tag

  • Accepts a string of comma separated values
  • Each value will be treated as a separate tag.
  • If a tag doesn't already exist it will be added to the user's profile.
Example:
“customtagattribute1,customtagattribute2" 
will be added to the user as two separate
tags “customtagattribute1” and
“customtagattribute2”.
Country:US

Departments:Sales

Title:Account Manager

Section 5.0: Additional Features

Section 5.1: Automatic User Provisioning

One additional feature that can be enabled after SSO has been configured and tested successfully is SSO User-Provisioning. This allows for users that do not have a profile in the Rehearsal platform to authenticate via SSO and have a profile automatically created for them in the Rehearsal platform. This profile will be created from the attribute key values that are passed at the time of authentication via SSO.

To enable Automatic User-Provisioning, navigate to the 'Subscriptions' tab within your Rehearsal site. Towards the top of the page, just above the number of seats available for the site, you will see a toggle for 'SSO user-provisioning'. Toggle it to the ON position. Once enabled, you will be given a drop-down selection for the subscription you would like users to be automatically provisioned into, select a subscription to complete the set-up.