When the learning environment is integrated to your Active Directory (AD) via ADFS / SAML, it can:
- Authenticate the users directly against AD each and every time they try to log in the learning environment.
- Optionally have an account created in the learning environment after a user successfully authenticates
IMPORTANT NOTE: The learning environment doesn't download nor store the user's password. It sends a request to your AD server each and every time a user tries to log in.
User Information
In order for AD authentication to work, the learning environment needs to store some user information in its database. At a minimum, it needs the following information:
- Username
- First name
- Last name
- Email address
If this information is stored in your AD, then the learning environment can create / update their account in the learning environment's database. Otherwise, if those 4 fields are not available, the learning environment can import user profile information from your HRIS (Human Resources Information System) or even a CSV file. The source of the information is not important, but it is important that the information be available. The learning environment will not create user accounts if any of the above 4 fields are missing.
The rest of the information (i.e. job title, department, telephone) is optional and does not need to be imported in the learning environment. If you decide not to import additional information however, please note that this information will not be available in the various reports available in the learning environment.
Assumptions
There are a couple of rules that need to be respected in order for the integration to work:
- You must accept SAML requests from the learning environment. This means that your Identity Provider will need to allow requests from the learning environment over a secure port (HTTPS).
- If SAML is enabled, all users in the system will be required to connect via SAML. This includes your physicians, medical students, volunteers, external consultants, and so on. If some users need to connect directly in the learning environment, we recommend the LDAPS integration instead.