Cornerstone On Demand ===================== |image0| Presentation ------------ `CornerStone On Demand (CSOD) `__ allows one to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic. To work with LL::NG it requires: - An enterprise account - LL::NG configured as :doc:`SAML Identity Provider<../idpsaml>` - Registered users on CSOD with the same email than those used by LL::NG (email will be the NameID exchanged between CSOD and LL::NG) Configuration ------------- New Service Provider ~~~~~~~~~~~~~~~~~~~~ You should have configured LL::NG as an :doc:`SAML Identity Provider<../idpsaml>`, Now we will add CSOD as a new SAML Service Provider: #. In Manager, click on SAML service providers and the button ``New service provider``. #. Set csod as Service Provider name. #. Set ``Email`` in ``Options`` » ``Authentication Response`` » ``Default NameID format`` #. Select ``Metadata``, and unprotect the field to paste the following value: .. code-block:: xml Base64 encoded CSOD certificate urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress .. attention:: Change **mycompanyid** (in ``AssertionConsumerService`` markup, parameter ``Location``) into your CSOD company ID and put the certificate value inside the ds:X509Certificate markup CSOD control panel ~~~~~~~~~~~~~~~~~~ CSOD needs two things to configure LL::NG as an IDP: - Certificate - SAML assertion Certificate ^^^^^^^^^^^ See :doc:`SAML security parameters<../samlservice>` to know how generate a certificate from you SAML private key. SAML assertion ^^^^^^^^^^^^^^ You need to use the IDP initiated feature of LL::NG. Just call this URL: :: https://auth.example.com/saml/singleSignOn?IDPInitiated=1&sp=mycompanyid.csod.com .. |image0| image:: /applications/csod_logo.png :class: align-center