Cornerstone On Demand
=====================
|image0|
Presentation
------------
`CornerStone On Demand (CSOD) `__
allows one to use SAML to authenticate users. It works by default with
IDP intiated mechanism, but can works with the standard SP initiated
cinematic.
To work with LL::NG it requires:
- An enterprise account
- LL::NG configured as :doc:`SAML Identity Provider<../idpsaml>`
- Registered users on CSOD with the same email than those used by
LL::NG (email will be the NameID exchanged between CSOD and LL::NG)
Configuration
-------------
New Service Provider
~~~~~~~~~~~~~~~~~~~~
You should have configured LL::NG as an
:doc:`SAML Identity Provider<../idpsaml>`,
Now we will add CSOD as a new SAML Service Provider:
#. In Manager, click on SAML service providers and the button
``New service provider``.
#. Set csod as Service Provider name.
#. Set ``Email`` in ``Options`` » ``Authentication Response`` »
``Default NameID format``
#. Select ``Metadata``, and unprotect the field to paste the following
value:
.. code-block:: xml
Base64 encoded CSOD certificate
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
.. attention::
Change **mycompanyid** (in ``AssertionConsumerService``
markup, parameter ``Location``) into your CSOD company ID and put the
certificate value inside the ds:X509Certificate markup
CSOD control panel
~~~~~~~~~~~~~~~~~~
CSOD needs two things to configure LL::NG as an IDP:
- Certificate
- SAML assertion
Certificate
^^^^^^^^^^^
See :doc:`SAML security parameters<../samlservice>` to know how generate
a certificate from you SAML private key.
SAML assertion
^^^^^^^^^^^^^^
You need to use the IDP initiated feature of LL::NG. Just call this URL:
::
https://auth.example.com/saml/singleSignOn?IDPInitiated=1&sp=mycompanyid.csod.com
.. |image0| image:: /applications/csod_logo.png
:class: align-center