Articles in this section

How to set up single sign-on (SSO) for the OpenSesame marketplace

Avatar
Katie Moody
  • Updated

Note: This guide covers SSO for logging in to www.opensesame.com. For OpenSesame’s other SSO options—course launch or logging in to CourseCloud®—see OpenSesame's single sign-on (SSO) options.


With single sign-on for the OpenSesame marketplace, administrators log in to OpenSesame using your organization's existing Identity Provider (IdP) instead of using a separate password. OpenSesame supports OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) for the marketplace.

Setup is a collaborative process between your IT team and OpenSesame.


In this guide:

 

Requirements

Eligibility

To use SSO, your organization:

  1. Must have an OpenSesame Customer Success Manager (CSM).
  2. Cannot use a legacy integration. If you use an OpenSesame integration and aren’t sure which type it is, ask your CSM or email support@opensesame.com.

Work with an OpenSesame Implementation Specialist to set up this SSO connection. If you are not yet in touch with a specialist, contact your OpenSesame CSM or Account Executive.

 

What you need

  1. An SSO identity provider (IdP) already in use.
  2. An internal IT partner who can assist with setup. They will also know whether your organization uses OIDC or SAML.

 

OIDC option

Step 1: Your IT team configures the IdP

Your IT team registers OpenSesame as an application:

  1. Create an OpenSesame application in your IdP.
  2. Allowlist both callback URLs:
    • https://auth.identity.opensesame.com/oauth2/v1/authorize/callback
    • https://api.identity.opensesame.com/v1/auth/interactive/testcallback

 

Step 2: Share IdP details with OpenSesame

After the IdP is configured, give your OpenSesame Implementation Specialist the following:

IdP information Description
Client ID & Client Secret Generated when the OpenSesame app is created in your IdP.
OIDC Well-Known Configuration URL Your IdP's discovery endpoint.
Friendly IdP name A display name for your IdP (for example, Acme Warehouse or Acme HQ).

OpenSesame uses the following OIDC claims by default:

  1. email
  2. firstName
  3. lastName

If your IdP provides these claims, no further information is needed. 

If any are unavailable, provide the claims to use in their place:

Claim Description
Email claim The OIDC claim for a user's login email address.
First name claim The OIDC claim for a user's first name.
Last name claim The OIDC claim for a user's last name.


Step 3: OpenSesame activates your connection

The OpenSesame team configures the OIDC connection and sends you a direct login URL in the following format:

https://api.identity.opensesame.com/v1/auth/interactive/login/sso/{idpkey}

Your IT team uses this URL to test the SSO connection. They can also add it to your IdP’s app portal so administrators can access OpenSesame from your existing application launcher.

After a successful SSO login has been confirmed, the OpenSesame team turns off password-based login for all users in your organization. When that’s done, SSO using OIDC is fully active.


SAML option

Step 1: Request SP metadata from OpenSesame

Before your IT team configures anything in your IdP, contact your OpenSesame Implementation Specialist to request Service Provider (SP) metadata. Include the display name you want for your IdP.

OpenSesame then provides the SP metadata, which includes:

  • Issuer URL
  • SSO URL
  • x509 signing certificate

 

Step 2: Your IT team configures the IdP

Your IT team uses the SP metadata to create an OpenSesame application in your IdP.

 

Step 3: Share IdP details with OpenSesame

After the IdP is configured, give your OpenSesame Implementation Specialist the IdP Metadata as either a URL or an XML file.

OpenSesame uses the following SAML attributes by default:

  1. NameID
  2. firstName
  3. lastName

If your IdP provides these attributes, no further information is needed. 

If any are unavailable, provide the attributes to use in their place:

Attribute Description
Email/login attribute The SAML attribute for a user’s login email (defaults to NameID if not specified)
First name attribute The SAML attribute for a user’s first name
Last name attribute The SAML attribute for a user’s last name


Step 4: OpenSesame activates your connection
 

The OpenSesame team finalizes the SAML configuration and sends you a direct login URL in the following format:

https://api.identity.opensesame.com/v1/auth/interactive/login/sso/{idpkey}

Your IT team uses this URL to test the SSO connection. They can also add it to your IdP’s app portal so administrators can access OpenSesame from your existing application launcher.

After a successful SSO login has been confirmed, the OpenSesame team turns off password-based login for all users in your organization. When that’s done, SSO using SAML is fully active.

 

For help, contact OpenSesame Support at support@opensesame.com, use live chat, or call (503) 808-1268, ext. 2 (U.S.) or +44 203 744 5541 (Europe).
 

Related articles

Comments

0 comments

Article is closed for comments.