Configure OpenID SSO for TalentLMS

These steps show you how to configure the single sign-on (SSO) functionality using OpenID to TalentLMS from ManageEngine ADSelfService Plus.

Prerequisites

1. Login to ADSelfService Plus as Super admin.
2. Go to Configuration > Password Sync/ Single Sign On and click Add Application. Select TalentLMS from the list.
Note: You can also use the search bar, in the top-left, to search for the application.
3. Click on IdP Details and select SSO (OAuth/OpenID Connect) tab.
4. Copy Client ID, Client Secret, Authorization Endpoint URL, Token Endpoint URL, and User Endpoint URL.

TalentLMS (service provider) configuration steps

1. Login to TalentLMS account with admin credentials.
2. Go to Home → Account & Settings → Users and click Single Sign-On (SSO).

3. Select the SSO Integration Type as OpenID Connect from the drop-down list.

4. Enter the following fields with corresponding details copied in the step 4 of Prerequisites:
• Client id: Client ID
• Client secret: Client Secret
• Token endpoint: Token endpoint URL
• User info endpoint: User Endpoint URL
• Authorization endpoint: Authorization Endpoint URL

5. Fill in the following fields as mentioned below:
• Username: sub
• First name: first_name
• Last name: last_name
• Email: email
• Scope: openid email profile
6. Click Save and check your configuration.
7. Now, you need to copy the Authorized redirect URL from TalentLMS to configure ADSelfService Plus.

ADSelfService Plus (identity provider) configuration steps

1. Switch back to ADSelfService Plus' TalentLMS configuration page.
2. Enter the Application Name and Description as per your preference.
3. Enter the Domain Name of your TalentLMS account. For example, if your TalentLMS username is johnwatts@thinktodaytech.com, then thinktodaytech.com is your domain name.
4. Select policies from the Assign policies dropdown, to decide for whom this setting will be applicable.
5. Check the box next to Enable OAuth/OpenID Connect in OAuth/OpenID Connect tab.
6. Enter the Authorized redirect URL, from step 7 in TalentLMS configuration steps, in the Login Redirect URL field.
7. Scopes specify the level of access the access token has. The scopes are generally provided in the authorization request so, you don't have to specify them here. If the scopes are not mentioned by your service provider, you must add them in this field.

8. Click Add Application to save these settings.
9. The Well-known Configuration URL in IdP details pop-up contains all the endpoint values, supported scopes, response modes, client authentication modes, and client details. This is enabled only after you save the application in ADSelfService Plus. You can provide this to your service provider if required.