Single sign-on, or SSO, enables learners who are signed in to their enterprise LMS or other system to easily register and enroll in courses on edX without needing to sign in or maintain an additional set of credentials. edX for Business uses SAML 2.0 to implement SSO between an enterprise system and edX.org.
Implementing SSO using SAML
In an exchange of authentication and authorization data using SAML, an identity provider (IdP) securely asserts the identity and access rights of a set of users to a service provider (SP) that allows access to users on the basis of the credentials provided by the identity provider. In the context of edX for Business, your enterprise represents the identity provider, and edX represents the service provider. To use SAML for SSO with edX for Business, your identity provider must use the SAML 2.0 standard for authentication.
To setup the integration between your SAML IdP and edX, will need to have the following information:
- IdP Metadata: The URL for your SAML Identity Provider metadata XML file. See Exchanging Metadata.
- User Attributes: A list of the values that your SAML system asserts when users sign in to edX. For more information about how you can work with edX to configure user attributes effectively, see Configuring User Attributes.
If you will be setting up SSO in both your test and production systems, you will need Metadata XML files/attributes, and 2 edX configurations in order to validate the integration.
Getting Started
To create a new SSO configuration, you will need administrator access to your organization's edX Admin Portal. SSO configuration can be found in the left side menu under "Settings". To set up a new SSO integration click the (+). If you do not have this tab available, please reach out to your Customer Success Representative.
1) Input your Identity Provider Metadata
Begin by selecting your Identity Provider (If you don't see yours listed select “other”) Next, enter the Identity Provider Metadata URL or upload the Identity Provider Metadata XML file.
2) Configuring User Attributes
A SAML identity provider sends a set of user attributes in an assertion document each time it interacts with a SAML service provider. By default, edX expects that the assertion document will include at least the following user attributes:
| Attribute | Name | URN |
| User identifier | userid | urn:oid:0.9.2342.19200300.100.1.1 |
| Full name | commonName | urn:oid:2.5.4.3 |
| First name | givenName | urn:oid:2.5.4.42 |
| Last name | surname | urn:oid:2.5.4.4 |
| Suggested username | userid | urn:oid:0.9.2342.19200300.100.1.1 |
| Email address | urn:oid:0.9.2342.19200300.100.1.3 | |
| Country | country |
urn:oid:0.9.2342.19200300.100.1.43 |
If your identity provider is configured to send attributes under a name other than the defaults listed above, configure the names that should be expected on each login.
3) Add edX as a SAML Service Provider
Download the edX Service Provider metadata XML file and upload it to your system's SSO configuration to authorize edX as Service Provider. Once edX has been configured as a Service Provider, check the box and continue to testing. It may take a few minutes for setup to complete, so look for an email in your inbox letting you know that it is time to test.
4) Test the SSO Connection
Use an incognito browser to validate the SSO connection for edX. If possible, screen record your test and share with your Customer Success Representative if you run into any issues.