Table of Contents

Saba MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to provide Multi-factor authentication and Single-Sign-On to Saba, a learning management system (LMS), using PhenixID Authentication Services.

System Requirements

  • PhenixID Authentication Services 2.8 or higher
  • Saba administrator account credentials

Instruction

1. Set up PhenixID Authentication Services as SAML IdP

  1. Setup PhenixID Authentication Services as a SAML IdP.

    Make sure the User identifier attribute is set to the attribute where the mail address is stored.

  2. Download the SAML IdP metadata to a file named idp.xml

2. Configure Saba

  1. Login to with your Saba administrator account.

  2. Click Security in the admin console.

  3. Open System->SAML SSO Setup

  4. Click Setup SAML SSO

  5. Select microsite.

  6. Click Add and Configure

  7. Upload the idp.xml metadata file.

  8. Choose Configure SP tab.

  9. Select Basic and enter a entity alias value

  10. Click on Generate.

  11. Click on the Configure Properties tab

  12. Enable SAML SSO to true.

  13. Save

  14. Go to SAML SSO Setup

  15. Select your site

  16. Copy the Saba endpoint url value

  17. Construct the Saba entityID value by replacing subdomain and entity alias:

    https://<subdomain>.sabacloud.com/Saba/saml/SSO/alias/<entity_alias_from_previous_step>

3. Add Saba SAML SP Metadata to PhenixID Authentication Services

  1. Create Saba SAML SP Metadata XML file. Use the template data below. Replace “ENTITY_ID” with the entityID constructed in previous step.

    Replace “ASSERTION_CONSUMER_LOCATION with the saba endpoint URL fetched in previous step.

    Place the text in a file using a text editor and save it as a xml file.

    <?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="ENTITY_ID">
   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
      <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.   0:bindings:HTTP-POST" Location="ASSERTION_CONSUMER_LOCATION" />
   </SPSSODescriptor>
</EntityDescriptor>

    1. Example metadata:

      <?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://mydomain.      sabacloud.com/Saba/saml/SSO/alias/myDomainAlias">
   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
      <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.      0:bindings:HTTP-POST" Location="https://mydomain.sabacloud.com/Saba/Web/mydX" />
   </SPSSODescriptor>
</EntityDescriptor>

  2. Upload the metadata file using this Federation Scenario.

Test

  1. Open a web browser
  2. Browse to your Saba subdomain
  3. You should be redirected to the Idp (PhenixID Authentication Services)
  4. Authenticate
  5. You should be redirected back to G Saba
  6. You are now logged in to G Saba.

Troubleshooting

Use the SAML Tracer addon for Firefox to debug and trace the SAML messages.

Check PhenixID logs/server.log for errors.

SAML 2 Single Sign-On Identity Provider Use Case: Federation of web services Use Case: Integrate with external systems Federation Step by Step