An overview of SSO integration with the Rehearsal platform
Section 1: Introduction
This document’s purpose is to provide key information regarding the integration points between the Rehearsal platform and a customer’s SSO security domain using SAML 2.0.
Section 2: SSO Integration Options and User Information
When integrating SSO with Rehearsal there are a couple of initial decisions that need to be made regarding information that will be passed between the systems. Our SSO integration allows you to provide basic user information for authentication and optionally the ability to pass additional information that can be used to configure the system automatically.
Section 2.1: Basic User Information (Required)
The basic user information required by the rehearsal system is as follows:
- Email Address
- First Name
- Last Name
- EmployeeID (or unique ID of employee)
Section 2.2: Additional User Information
Additional user information can be passed to enhance reporting, searching, and overall user management.
The additional information is as follows:
| Title | title of the user |
| Country | country of the user |
| Region | region of the user |
| Territory | territory of the user |
| Department | department of the user |
| Location | location of the user |
Section 2.3: User Relationships
The Rehearsal platform allows you to pass additional information regarding group membership and mentoring relationships. This is NOT required and can also be set up at a later date.
| User Specific Mentors | The Rehearsal platform allows you to pass email addresses of users or Employee ID's (also known as Enterprise ID or World Wide ID) that have been provided using the NameID assertion that should be set up as a User Specific Mentors of the user. |
| Mentee of Users | These are users who will be setup as a mentee of the user. |
| Mentor of Users |
These are users who will be setup as a mentor for the user. |
Important: Users must have an account within the Rehearsal platform prior to logging in unless Automatic User Provisioning is enabled.
| Group Membership |
The Rehearsal platform allows you to pass group names where the user should be added. You have two options for group membership. |
| Member of Groups |
These are groups where you want the user added as a learner. |
| Mentor of Groups |
These are groups where you want the user added as a mentor. |
Note: Groups are automatically created if they don't exist in the Rehearsal site ahead of time.
Section 2.4: Relationship Claims
Your SSO Integration will only add the details under specific claims affected and how they will work with your integration.
| Member of | The platform will add the user as a learner to the listed groups, however it will not remove the user from any other groups. |
| Mentor of | The platform will add the user as a mentor to the listed groups, however it will not remove the user as a mentor from any other groups. |
| User Specific Mentors | The platform will add the additional user specific mentors to the user's profile, however it will not remove existing user specific mentor. |
Section 2.5: User Tags
The Rehearsal system allows you to pass any additional information regarding the user and will add the information as tags for the user. Passing additional information is NOT required and can also be set up at a later date.
As an example, you can pass Country, Department, Title, and the system will create a tag for each (Country:US, Departments:Sales, Title:Account Manager respectively). Passing multiple tags requires additional configuration prior to launch to identify the SAML Attributes that will translate to unique tags.
Section 3.0: SSO Configuration and Testing Process
This section outlines the general SSO process we will follow to get your Rehearsal site configured for SSO and tested.
| 1. Initial Meeting |
|
| 2. Staging Configuration |
|
| 3. Staging Test |
|
| 4. Production Configuration |
|
| 5. Go-Live |
|
Section 4.0: SAML Assertion
Section 4.1: Subject Element
SAML assertions with Rehearsal are made about a subject, represented by the <saml:Subject> element in the assertions which identifies the authenticated principal. This element contains the <saml:NameID> element, which should be a unique property of the user that will never change. An employee ID is a good candidate for this property.
Example SAML assertion showing the <saml:NameID> element:
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XXMLSchema"
ID="_d71a3aBe9fcc45c9e9d248ef7049393fc8f04e5f75"
Version="2.0"
IssueInstant="2004-12-05T09:22:05Z">
<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<saml:Subject>
<saml:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
3f7b3dcf-1674-4ecd-92c8-1544f346baf8
</saml:NameID>
...
Note: The SAML assertion above is truncated and for illustrative purposes only. Yours may differ.
Section 4.2: Supported Attribute Assertions
A SAML attribute assertion contains information about a user in the form of a series of attributes.
Important: The emailaddress attribute is required by Rehearsal and ALL
attribute assertion keys must be lowercase. The only exception is the subject which is 'NameID'.
|
Attribute Key |
Usage |
Example Value |
|
emailaddress |
|
sam.jones@rehearsal.com |
|
firstname |
|
Sam |
|
lastname |
|
Jones |
|
title |
|
Client Services |
|
country |
|
US |
|
region |
|
West |
|
territory |
|
Northwest |
|
department |
|
CS |
|
location |
|
Reno |
|
menteeofusers |
|
mentee1@rehearsal.com |
|
mentorofusers |
|
mentee2@rehearsal.com |
|
memberofgroups |
|
GroupNameB, GroupNameC |
|
mentorofgroups |
|
GroupNameA |
|
tag |
“customtagattribute1,customtagattribute2" |
Country:US |
Section 5.0: Additional Features
Section 5.1: Automatic User Provisioning
One additional feature that can be enabled after SSO has been configured and tested successfully is SSO User-Provisioning. This allows for users that do not have a profile in the Rehearsal platform to authenticate via SSO and have a profile automatically created for them in the Rehearsal platform. This profile will be created from the attribute key values that are passed at the time of authentication via SSO.
To enable Automatic User-Provisioning, navigate to the 'Subscriptions' tab within your Rehearsal site. Towards the top of the page, just above the number of seats available for the site, you will see a toggle for 'SSO user-provisioning'. Toggle it to the ON position. Once enabled, you will be given a drop-down selection for the subscription you would like users to be automatically provisioned into, select a subscription to complete the set-up.