Through SAP Litmos' SAML 2.0 integration, organizations utilizing SAP's Identity Authentication Service can, through an IdP Initiated flow, authenticate into SAP Litmos.
Here are the steps for a configuring the SAP Identity Authentication Service to utilize SAML with Litmos. Please note that this article does not cover user management and access to the application or identity tenant, those questions can be answered in the SAP Help Portal.
You will need both administrative access to the SAP Identity Management application as well as Account Owner access within the SAP Litmos application to proceed with these steps
1. Start with two windows, one for the SAP Identity Authentication Service and the second for the SAP Litmos application. You will need to switch between the two a couple of times during this process.
2. The first step is to create a new application in the SAP Identity Authentication Service for the SAP Litmos Service Provider via "Application & Settings" > "Applications" > " + Add", the name can be whatever you desire and updated at any time.
3. Next verifying that the "Type" is listed as "SAML 2.0" and proceed with opening the "SAML 2.0 Configuration" menu:
4. In your Litmos window, access the "Account Settings" > "Integrations" > "SAML 2.0" menu and copy your SAML Endpoint. You will use this value for the "Name" and "Assertion Consumer Service Endpoint" values found on the "SAML 2.0 Configuration" page within the Identity Management app.
5. Next scroll to the bottom of that same page and toggle the "Algorithm" drop-down to "SHA-256" and save.
6. You will then be brought back to the application menu where you can select "Subject Name Identifier" to choose the value that will pass as NameID. We recommend using email address but otherwise support any string that meets our username requirements.
7. Upon saving, you can now map your assertion attribute values by selecting "Assertion Attributes" and adding supported fields found in this article. The screenshot and list provided shows the minimum fields required. Please ensure that the case matches exactly as your assertion with fail if there are any discrepancies.
8. The final portion of this configuration will require you to download the IdP metadata from within the Sap Identity Authentication Service and insert it into your Litmos instance. You can find the metadata from within the "Applications & Resources" > "Tenant Settings" > "SAML 2.0 Configuration" page. On your way there, it would be ideal to also enable "IdP-Initiated SSO" to ensure you do not forget later as this is required for this application to function.
9. Once downloaded, open the XML file in a plain text editor such as Notepad within Windows to ensure that no formatting is copied. Copy all of the text except for the first tag that contains "<?xml version="1.0" encoding="UTF-8"?>" and paste it into your "SAML 2.0" tile found in your Litmos Account Settings. Saving that text will enable the integration.
To test your SSO, you will need to format the login URL as shown:
https://**YOUR IDP URL**.com/saml2/idp/sso?sp=https://**YourDomain**.litmos.com/integration/splogin
Please ensure that you have either enabled "Autogenerate Users" or are attempting to sign in as a user that has an active profile within Litmos.
Deep-linking is possible using the following format, replace the URL parameter values to reflect your IDP initiated sign in URL and append the appropriate target URL. Note that RelayState is case sensitive and will not work if case is incorrect:
https://**YOUR IDP URL**.com/saml2/idp/sso?sp=https://**YourDomain**.litmos.com/integration/splogin&RelayState=https://**YourDomain**.litmos.com/**Destination**
If there are any additional questions or concerns not covered by this document, please reach out to our support team through the email address firstname.lastname@example.org for further assistance.