documentation:2.1:applications:cornerstone

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:applications:cornerstone [2017/02/07 17:06] (current)
Line 1: Line 1:
 +====== Cornerstone On Demand ======
 +
 +{{ :applications:csod_logo.png |}}
 +
 +===== Presentation =====
 +
 +[[http://www.cornerstoneondemand.com/|CornerStone On Demand (CSOD)]] allows one to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic.
 +
 +To work with LL::NG it requires:
 +  * An enterprise account
 +  * LL::NG configured as [[..idpsaml|SAML Identity Provider]]
 +  * Registered users on CSOD with the same email than those used by LL::NG (email will be the NameID exchanged between CSOD and LL::NG)
 +
 +===== Configuration =====
 +
 +==== New Service Provider ====
 +
 +You should have configured LL::NG as an [[..idpsaml|SAML Identity Provider]],
 +
 +Now we will add CSOD as a new SAML Service Provider:
 +  - In Manager, click on SAML service providers and the button ''New service provider''.
 +  - Set csod as Service Provider name.
 +  - Set ''Email'' in ''Options'' » ''Authentication Response'' » ''Default NameID format''
 +  - Select ''Metadata'', and unprotect the field to paste the following value:
 +<file xml>
 +<md:EntityDescriptor entityID="mycompanyid.csod.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
 +  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
 +    <KeyDescriptor use="signing">
 +      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 + <ds:X509Data>
 +   <ds:X509Certificate>
 +Base64 encoded CSOD certificate
 +     </ds:X509Certificate>
 +   </ds:X509Data>
 +      </ds:KeyInfo>
 +    </KeyDescriptor>
 +    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycompanyid.csod.com/samldefault.aspx" index="1" />
 +    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
 +  </SPSSODescriptor>
 +</md:EntityDescriptor>
 +</file>
 +
 +<note important>Change **mycompanyid** (in ''AssertionConsumerService'' markup, parameter ''Location'') into your CSOD company ID and put the certificate value inside the ds:X509Certificate markup</note>
 +
 +
 +==== CSOD control panel ====
 +
 +CSOD needs two things to configure LL::NG as an IDP:
 +  * Certificate
 +  * SAML assertion
 +
 +=== Certificate ===
 +
 +See [[..:samlservice#security_parameters|SAML security parameters]] to know how generate a certificate from you SAML private key.
 +
 +=== SAML assertion ===
 +
 +You need to use the IDP initiated feature of LL::NG. Just call this URL:
 +<code>
 +https://auth.example.com/saml/singleSignOn?IDPInitiated=1&sp=mycompanyid.csod.com
 +</code>