Microsoft ADFS SSO Integration

Integration Summary
Microsoft ADFS enables your users to sign in with single sign-on access. We integrate with Microsoft ADFS to provide you with a seamless login experience, safely and securely. If your company already uses Microsoft ADFS, you can quickly and easily enable allow your employees to use their single sign-on details to access Learn Amp.

Main Features

Enjoy a seamless login experience between Learn Amp and Microsoft ADFS.

Your employees will be able to sign into the Learn Amp platform with their Microsoft ADFS single sign-on details.
Signing in is quick and easy, while remaining safe and secure.

Known Limitations/ Considerations

User accounts: This integration only authenticates existing user accounts. Any users in your Active Directory, who do not have Learn Amp accounts, will not be able to sign in until their user account has been set up in Learn Amp.

User Unique ID: Learn Amp authenticates user access by comparing the email field in Learn Amp and the UserPrincialName (UPN) field in ADFS. Learn Amp user accounts should be created with an email matching the UserPrincipalName field in Azure AD for the SSO integration to work.

How the Platforms Connect

Learn Amp authenticates users against the Microsoft ADFS (Authorization Server) using OpenID Connect.

When setting up the integration, you will need to provide us with:

The URL of your Identity Provider (IdP). e.g. https://sso.yourcompany.com/adfs/services/trust
The IdP endpoint (URL) to which the authentication request should be sent. e.g. https://sso.yourcompany.com/adfs/ls
The idp cert fingerprint. The SHA1 fingerprint of the IdP's signing certificate (e.g. "90:CC:16:F0:8D"). This is provided by the IdP when setting up the trust relationship.

Once provided, the integration will be enabled and configured to then be tested.

Permissions/Scopes Required

For SSO with MS ADFS to work effectively, the following permission scope is required by the integration:

User.Read

This scope is used to fetch user details, so Learn Amp users can be authenticated.

Required Stakeholders

To set up our Integration with Microsoft ADFS, you will need somebody with administrator level access to your Microsoft ADFS. This person will also need administrator level access to your Learn Amp Live account for the period of time in which the Integration is being set up.

Set up Instructions

Full instructions on how to set up the Azure AD integration can be found within your Learn Amp account. Please go to yourdomain.learnamp.com/en/integrations/wsfed

Other Frequently Asked Questions

What user field in Microsoft ADFS does Learn Amp use to authenticate users?

LearnAmp authenticates users by the ‘UserPrincipleName’ field in Azure AD. If you would like to use the ‘mail’ field please speak to your implementation coach.

What authentication protocol does Learn Amp use to authenticate user accounts?

Learn Amp uses OAuth2 to authenticate user accounts.

What information from ADFS is stored within Learn Amp to setup the integration?

We store the The URL of your Identity Provider, IDP endpoint and The IDP cert fingerprint when setting up the Integration.

We have other users who are not held in our ADFS account. Can they still access Learn Amp?

Yes. You can use MS ADFS SSO in combination with email and password login. This allows other users to access Learn Amp without authenticating with ADFS.