Cornerstone On Demand



CornerStone On Demand (CSOD) allows one to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic.

To work with LL::NG it requires:

  • An enterprise account

  • LL::NG configured as SAML Identity Provider

  • Registered users on CSOD with the same email than those used by LL::NG (email will be the NameID exchanged between CSOD and LL::NG)


New Service Provider

You should have configured LL::NG as an SAML Identity Provider,

Now we will add CSOD as a new SAML Service Provider:

  1. In Manager, click on SAML service providers and the button New service provider.

  2. Set csod as Service Provider name.

  3. Set Email in Options » Authentication Response » Default NameID format

  4. Select Metadata, and unprotect the field to paste the following value:

<md:EntityDescriptor entityID="" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="">
Base64 encoded CSOD certificate
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="1" />


Change mycompanyid (in AssertionConsumerService markup, parameter Location) into your CSOD company ID and put the certificate value inside the ds:X509Certificate markup

CSOD control panel

CSOD needs two things to configure LL::NG as an IDP:

  • Certificate

  • SAML assertion


See SAML security parameters to know how generate a certificate from you SAML private key.

SAML assertion

You need to use the IDP initiated feature of LL::NG. Just call this URL: