System Requirements

  • A server running Microsoft Server 2019/ 2016/ 2012 R2
  • AD FS 5.0/4.0/3.0 installed on your server
  • An SSL certificate to sign your ADFS login page and the fingerprint for that certificate
  • An iSpring Learn account
  • An LMS user with the Account Owner or Account Administrator role

This guide covers SAML SSO setup using AD FS 4.0 on Windows Server.

Step 1. Verify AD FS settings

  1. Login in to your AD FS server and launch the ADFS Management Console via the shortcut in Control Panel  System and Security → Administrative Tools.



  2. Right-click on Service and select Edit Federation Service Properties.



  3. Verify that the General settings match your DNS entries and certificate names. Make a note with the Federation Service Identifier, since that is used in the iSpring Learn SAML 2.0 configuration settings.

  4. In the Federation Service name field, use a third-level domain, such as, adfs.ispring.com.

Step 2. iSpring Learn Settings

  1. Browse to the certificates.

  2. Right-click on the certificate and select View Certificate.

  3. Go to the Details tab.

  4. Find the Thumbprint field and copy the contents.



  5. Log in to your iSpring Learn account. Then go to the Services SSO Settings and click SAML



  6. Insert your Thumbprint into the Certificate Fingerprint field and remove all spaces between characters.

  7. In iSpring Learn, on the SSO Integration Settings page, fill in these fields: 

    Field NameExample
    Issuer URL (idP Entity ID)http://YOUR_ADFS_SERVERNAME/adfs/services/trust
    Sign On URLhttps://YOUR_ADFS_SERVERNAME/adfs/ls/idpinitiatedsignon.aspx
    Logout URLhttps://YOUR_ADFS_SERVERNAME/adfs/ls/?wa=wsignout1.0

    The Sign On URL and Logout URL parameters may differ, depending on the AD FS.

    Issuer URL (IdP Entity ID)

    The URL that uniquely identifies the identity provider service. This value is equal to the Issuer element in the SAML request sent by the identity provider.

    Sign On URL

    This is the path to the server script that generates SAML identifier confirmation requests to handle authorization.

    Logout URL

    This is the path to the server script that generates SAML identifier confirmation requests to handle logout.

    Certificate Fingerprint

    This is a short version of the public key certificate for verifying a digital signature. It is used to confirm signing requests issued by an identity provider. Learn more about certificate fingerprints here.

    Redirect users to the SSO login page

    If this option is enabled, the iSpring login page will have the following URL: https://yourcompany.ispringlearn.com/sso/login.

    +

  8. Click Enable.



  9. Then add link to the corporate site in the Quick Links section.

Step 3. AD FS Relying Party Configuration

  1. Go to the AD FS Management console and select Relying Party Trusts, right-click on it and select Add Relying Party Trust.



  2. Select Claims aware and click Start.



  3. On the Select Data Source step, select the last option: Enter data about the relying party manually.



  4. On the next screen, enter a Display name that you will recognize in the future. Click Next.



  5. At the Configure Certificate stage, leave the default values. Click Next.



  6. On the next screen, check the Enable support for the SAML 2.0 WebSSO protocol box. The service URL will be: https://youraccount.ispringlearn.com/module.php/saml/sp/saml2-acs.php/default-sp.



  7. At the Configure Identifiers step, add the Relying party trust identifier as https://youraccount.ispringlearn.com/module.php/saml/sp/metadata.php/default-sp. Click Add.



  8. Then, click Next.



  9. On the next step, choose Permit everyone. Click Next.



  10. At the Ready to Add Trust stage, leave the default values. Click Next.



  11. At the last step, check the Configure claims issuance policy for this application box. Then, click Close.


Step 4. Creating Claims Rules

  1. Open the AD FS control panel. In the Relying Party Trusts section, right-click on the name and click Edit Claim Issuance Policy.



  2. Add the first rule. To do this, click Add Rule...



  3. Select Send LDAP Attributes as Claims. Click Next.



  4. In the Configure Claim Rule step, in the Claim rule name field, enter a name for the rule, such as, Attributes of iSpring Learn.



  5. Choose Active Directory as your attribute store.



  6. Next, select these values:
  7. Click Finish to save the new rule.



  8. Then, add the second rule and select Transform an Incoming Claim as the template.



  9. Enter the Transform Account Name and click OK.



  10. Click Apply and then OK to confirm.

Step 5. Adjusting the Trust Settings

Make sure the Secure hash algorithm is set to SHA-256 in the security settings. To do this:

  1. Open the AD FS control panel. In the Relying Party Trusts section, right-click on the name and click on Properties.



  2. Go to the Advanced tab and select SHA-256 in the Secure hash algorithm field.

  3. Click ОК.

Step 6. Endpoint Settings

  1. Open the AD FS control panel. In the Relying Party Trusts section, right-click on the name and click on Properties.



  2. In the Endpoints tab, check the default point:

  3. Then add 2 logout points.

    1. To add a point:

      1. Click Add SAML.

      2. For the Endpoint type parameter, select SAML Assertion Consumer.

      3. For Binding, select Artifact.

      4. For Index, select 2.

      5. In the Trusted URL field, enter an address like https://youraccount.ispringlearn.com/module.php/saml/sp/saml2-acs.php/default-sp.

      6. Leave the Response URL field blank and click OK.



    2. Add a new point. To do this:

      1. Click Add SAML.

      2. For Endpoint type, select SAML Logout.
      3. For Binding, select POST.
      4. In the Trusted URL field, enter an address like https://YOUR_ADFS_SERVERNAME/adfs/ls/?wa=wsignout1.0.

      5. Leave the Response URL field blank and click OK. 



  4. Make sure the three endpoints have been added. Click Apply and then OK to confirm.

Step 7. Verify Single Sign-On

  1. Go to your iSpring Learn account https://youraccount.ispringlearn.com/.

  2. Click Log in with your corporate account.



    The user’s personal account will open.

    If an error occurs during configuration, please send a screenshot of the error to support@ispring.com.

Matching fields of iSpring Learn and SSO

In addition to rules, you can also specify matching fields of iSpring Learn fields and SSO attributes: First Name, Last Name, Job Title, Phone, etc. Learn more about matching fields of iSpring Learn and SSO.

On the AD FS side:



On the iSpring Learn side:

Authorization without SAML

If you have enabled OpenID in your iSpring Learn account but areunable to log in using single sign-on for some reason, type the following web address: https://yourcompany.ispringlearn.com/login?no_sso

Now you will sign in to the account as usual, using your login and password. 

If you get a 400 error and a message about the request being composed incorrectly ("Cannot retrieve metadata for IdP 'https://myidp.com/oam/fed' because it isn't a valid IdP for this SP") after you enabled SAML in your iSpring Learn account, it means that the value set for the Issuer Url (IdP Entity ID) field is incorrect.

To make the SAML authorization work properly in your account, copy the URL from the error text and paste it into the Issuer URL (IdP Entity ID) field.