When the learning environment is integrated to your Active Directory (AD) via ADFS / SAMLMicrosoft Entra ID (formerly known as Azure AD) using SAML 2.0, it can:

1. Authenticate the users directly against

...

1. Entra ID each and every time they try to log in the learning environment

...

2. Optionally have

...

1. an account created in the learning environment after a user successfully authenticates

IMPORTANT NOTE: The learning environment doesn't download nor store the user's password. It sends a request to your AD server each and every time a user tries to log in.

User Information

In order for AD Entra ID authentication to work, the learning environment needs to store some user information in its database. At a minimum, it needs the following information:

• Username

• First name

• Last name

• Email address

If this information is stored in your ADMicrosoft Entra ID, then the learning environment can create / update their account in the learning environment's database. Otherwise, if those 4 fields are not available, the learning environment can import user profile information from your HRIS (Human Resources Information System) HCM / HRIS or even a CSV file. The source of the information is not important, but it is important that the information be available. The learning environment will not create user accounts if any of the above 4 fields are missing.

The rest of the information (i.e. job title, department, telephone) is optional and does not need to be imported in the learning environment. If this information is available in Entra ID, it can be imported into the learning environment. If you decide not to import additional information however, please note that this information will not be available in the various reports available in the learning environment.

Assumptions

There are a couple of rules that need to be respected in order for the integration to work:

1. You must accept SAML requests from the learning environment. This means that your Identity Provider will need to allow requests from the learning environment over a secure port (HTTPS).

Domain-Based Authentication

In a /wiki/spaces/Healthcare/pages/34844303, it's quite common for the learning environment to connect to multiple Active Directory servers. In many cases, there could be conflicts between the usernames across two or more Active Directory servers. For example, there could be a user with the username "jsmith" in both Active Directory servers.

The multi-site version of the learning environment supports domain-based authentication. When enabled, the system can allow two users with the same Active Directory username (e.g. samAccountName) to login the learning environment by specifying their domain as per the screenshot below.

Image RemovedImage Added

Important Notes

• The learning environment doesn't download nor store the user's password. It sends a request to your Microsoft Entra ID server each and every time a user tries to log in.

• It is possible to allow authentication via Microsoft Entra ID and alternative login methods concurrently.

• In the screenshot above, “Entra ID” is usually replaced by terminology more familiar to your learners. For example, the button could read “Log in using your hospital credentials” or simply “I’m an employee”.

• When using SAML 2.0, the learning environment can only connect to one (1) Microsoft Entra ID server. If your organization needs to connect to multiple Entra ID servers, please contact us and inquire about our multi-tenancy solution.

Related Articles

• Does Dual Code Offer a Multi-site / Multi-Tenancy Option?