Configure OpenID SSO for TalentLMS

These steps show you how to configure the single sign-on (SSO) functionality using OpenID to TalentLMS from ManageEngine ADSelfService Plus.

Prerequisites

1. Login to ADSelfService Plus as Super admin.
2. Go to Configuration > Password Sync/ Single Sign On and click Add Application. Select TalentLMS from the list.
Note: You can also use the search bar, in the top-left, to search for the application.
3. Click on IdP Details and select SSO (OAuth/OpenID Connect) tab.
4. Copy Client ID, Client Secret, Authorization Endpoint URL, Token Endpoint URL, and User Endpoint URL.

TalentLMS (service provider) configuration steps

1. Login to TalentLMS account with admin credentials.
2. Go to Home → Account & Settings → Users and click Single Sign-On (SSO).

3. Select the SSO Integration Type as OpenID Connect from the drop-down list.

4. Enter the following fields with corresponding details copied in the step 4 of Prerequisites:
• Client id: Client ID
• Client secret: Client Secret
• Token endpoint: Token endpoint URL
• User info endpoint: User Endpoint URL
• Authorization endpoint: Authorization Endpoint URL

5. Fill in the following fields as mentioned below:
• Username: sub
• First name: first_name
• Last name: last_name
• Email: email
• Scope: openid email profile
6. Click Save and check your configuration.
7. Now, you need to copy the Authorized redirect URL from TalentLMS to configure ADSelfService Plus.

ADSelfService Plus (identity provider) configuration steps

Switch back to ADSelfService Plus' TalentLMS configuration page.

Enter the Application Name and Description as per your preference.

Enter the Domain Name of your TalentLMS account. For example, if your TalentLMS username is johnwatts@thinktodaytech.com, then thinktodaytech.com is your domain name.

1. In the Assign Policies field, select the policies for which SSO need to be enabled.
Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy.
2. Under the SSO tab, select Enable Single Sign-On.
3. Choose OAuth/OpenID Connect from the Select Method drop-down.
4. Enter the TalentLMS portal's login URL in the SP Login Initiate URL field.
Note: TalentLMS requires sign-in to begin from their login page, known as SP-initiated login. Users are first directed to the TalentLMS login page, specified in the SP Login Initiate URL field, after which TalentLMS (the SP) redirects them to ADSelfService Plus (the IdP) for authentication.
5. Enter the Redirect URL copied in Step 7 of configuring TalentLMS in the SSO Redirect URL field.
6. Using the Scopes drop-down, select openid, which is the scope required for OIDC authentication. You can also specify scopes such as profile or email to include extra user information in the authorization request.
Note: Scopes specify the level of access the access token has. They are typically included in the authorization request. Specify the scopes for which you wish to allow access to your authorization token, using the drop-down.
7. Click Add Application to save the configuration.

The Well-known Configuration URL in the IdP details pop-up contains all the endpoint values, supported scopes, response modes, client authentication modes, and client details. This is enabled only after you finish configuring the application for SSO in ADSelfService Plus. You can provide this to your service provider if required.