This article will walk you through configuring your Skillcast application to allow users to log in via Single Sign-on (SSO) using Azure AD as your Identity Provider. If you are using any other provider, you can check out this article on how to use the EasySSO option. See the sections below:
Before you start
Before you start
Speak to your Customer Success Manager( CSM) and Account Manager (AM) about your options and the costs of implementing SSO for your application. You may also want to discuss details such as what user domains you want to be able to use SSO and whether your CSM will be helping your set this or ensuring you have the correct permissions access to set yourself up.
Preparing Skillcast for Single Sign-on
First, you need to prepare the portal for SSO; this is done in a few steps.
Adding a new external connection
NOTE: This process is usually completed by your Customer Success Manager at Skillcast; however, the steps are detailed below:
Click on Management Console > Configuration >External Connections
Connection:'Add new connection.'
From the Type dropdown, select Azure SSO – Skillcast app. This will reveal fields to be completed.
- Name: Make sure to type in a name for your SSO connection
- Domain: Choose your user domain from the drop-down
- Tenant:
- Authorized domain: The must be populated when choosing Just In Time provisioning via SSO. This will need to be set as the end of the email address used by users in Azure AD and Skillcast, i.e. any details after the @, e.g. mycompany.com. Additional domains can be added using a comma to separate, e.g. mycompany.com,mycompany.co.uk.
IMPORTANT: Leaving this blank when choosing Just in Time Provisioning runs the risk of duplicate accounts being created or unauthorised access to your application. Adding SSO connection to a user domain
Adding SSO connection to a user domain
Next, you must configure which user domain(s) must use SSO. This will ensure that users in those Domain(s) can be authenticated and access your portal URL, which looks something like mycompany.e-learningportal.com.
NOTE: This process is usually completed by your Customer Success Manager at Skillcast; however, the steps are detailed below:
Click On Management Console > Configure > Domains
Find the domain you want to configure as your SSO domain.
Tick the box next to the default domain option and click update. If you have more than one domain that needs to use the same SSO connection, set the default domain as the parent of of any additional user domains - Alternatively, you can skip this step and use the Allow any Domain option.
In the left-hand menu, click on Single-Sign-on
This will reveal fields to be completed to configure SSO
- Connection: from the drop-down, select the new External connection for Azure AD
- Status: Set the status to Test
- Allow Any domain: If ticked this option will override any chosen default domain and allow users in any domain to use the portal URL to log in (as long as they have a matching account active account on both Azure AD and Skillcast). This is a useful setting to use if you have user domains that cannot be linked by a parent but need to use the same URL to log in.
-Error Page: Choose an error page from the drop-down; this will be the page the user will see if they fail to log in.
-User identifier: From the dropdown, choose an attribute to use as an identifier, please note its name must match the name provided by Azure AD. For example, if EmpID is going to be used this attribute name must be the same on both Skillcast and Azure AD (* - for e-mail, this can be left blank as our system will recognise it)
-Just-in-time provisioning: The default option will be 'User account must be pre-registered'. Change this to 'Create user account if it doesn't already exist' to enable JIT provisioning.
IMPORTANT: If enabling JIT provisioning, you will need to ensure you have added email domains in the Authorized domain field of your external connection Adding a new external connection
Connect your Azure AD environment to your Skillcast Application.
Any staff member in your company can do this, but your Azure Administrator will need to approve the first request. If your Azure administrator is available to do both the registration and to approve the request, this would be preferred, but if not, please make sure you have your Azure Administrator know before moving forward.
Apply to register the application in Your Microsoft Azure AD
You must go to the test link that looks like the one below.
https://[clientID].e-learningportal.com/?testSSO
[Clientid] needs to be replaced with your own ID, which can be found in your portal URL.
ONCE AUTHENTICATED, this URL will take you through to the Microsoft wizard; the screen below will display your email address.
Complete the field for the justification request. Example of request to type: This is for SSO connection to our company e-learning/compliance portal
Once the justification has been entered, the Request approval button will be enabled and should be clicked. This information will be sent to the Azure Administrator along with the request to install the connector. You can now close this window.
Accepting the request as an Azure Administrator
Once the request has been sent, the Azure Administrator will be notified via email containing a link taking them straight to Azure management of the application.
Alternatively, they can access the request by:
Go to https://portal.azure.com
Azure AD > Enterprise Applications > Admin consent requests
Select “Portal App” with the Skillcast logo
Click on the option to “Review permissions and consent”.
This will launch a pop-up window, where you can see the permissions requested by the Skillcast application and you can either "Accept” or "Cancel” the installation of the connector to your Azure cloud. To proceed choose the "Accept" option.
Once accepted, you will see the Portal App installed under Azure AD > Enterprise Applications
You can now share the test link with other users in your organisation, who will be prompted to use their Windows login and password to login into the Skillcast application. For future authentication attempts, as long as they are logged into Windows already, they will not be prompted. If you have any other security settings turned on, such as MFA, they must also complete this authentication.
Changing the connection from Test to Live
Once you are happy that the testing is complete, you can go to Management Console > Domain > Single Sign-on and change the SSO status from Test to Live and Update Settings.
Any authenticated users will then be able to click your portal URL and access the portal with their Windows credentials on their first attempt. For future authentication attempts, as long as they are logged into Windows already, they will not be prompted. If you have any other security settings turned on, such as MFA, they must also complete this authentication.
Limitations and Considerations
You will then need to ensure that any emails that pull through usernames and passwords are updated to have the URL only.
Your Azure administrator can configure this Enterprise Application in Azure AD only to be available to certain users in the business each user who requires access will have to be assigned this right in your Azure AD.
If you use the easy SSO option within the Skillcast application and want to migrate to Azure AD SSO, the steps will be slightly different to ensure you do not impact the existing SSO while testing.
Logs of requests are available to view via the Single Sign-on menu in the domain. Click view logs to view all requests. By default, the setting will be to log all requests, but you can change this by changing the Logging setting to 'Errors'