CornerStone On Demand (CSOD) allows one to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic.
To work with LL::NG it requires:
You should have configured LL::NG as an SAML Identity Provider,
Now we will add CSOD as a new SAML Service Provider:
New service provider
.Email
in Options
» Authentication Response
» Default NameID format
Metadata
, and unprotect the field to paste the following value:<md:EntityDescriptor entityID="mycompanyid.csod.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate> Base64 encoded CSOD certificate </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycompanyid.csod.com/samldefault.aspx" index="1" /> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> </SPSSODescriptor> </md:EntityDescriptor>
AssertionConsumerService
markup, parameter Location
) into your CSOD company ID and put the certificate value inside the ds:X509Certificate markup
CSOD needs two things to configure LL::NG as an IDP:
See SAML security parameters to know how generate a certificate from you SAML private key.
You need to use the IDP initiated feature of LL::NG. Just call this URL:
https://auth.example.com/saml/singleSignOn?IDPInitiated=1&sp=mycompanyid.csod.com