Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:applications:cornerstone [2017/02/07 17:06] (current)
Line 1: Line 1:
 +====== Cornerstone On Demand ======
 +
 +{{ :​applications:​csod_logo.png |}}
 +
 +===== Presentation =====
 +
 +[[http://​www.cornerstoneondemand.com/​|CornerStone On Demand (CSOD)]] allows one to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic.
 +
 +To work with LL::NG it requires:
 +  * An enterprise account
 +  * LL::NG configured as [[..idpsaml|SAML Identity Provider]]
 +  * Registered users on CSOD with the same email than those used by LL::NG (email will be the NameID exchanged between CSOD and LL::NG)
 +
 +===== Configuration =====
 +
 +==== New Service Provider ====
 +
 +You should have configured LL::NG as an [[..idpsaml|SAML Identity Provider]],
 +
 +Now we will add CSOD as a new SAML Service Provider:
 +  - In Manager, click on SAML service providers and the button ''​New service provider''​.
 +  - Set csod as Service Provider name.
 +  - Set ''​Email''​ in ''​Options''​ » ''​Authentication Response''​ » ''​Default NameID format''​
 +  - Select ''​Metadata'',​ and unprotect the field to paste the following value:
 +<file xml>
 +<​md:​EntityDescriptor entityID="​mycompanyid.csod.com"​ xmlns="​urn:​oasis:​names:​tc:​SAML:​2.0:​metadata"​ xmlns:​ds="​http://​www.w3.org/​2000/​09/​xmldsig#"​ xmlns:​md="​urn:​oasis:​names:​tc:​SAML:​2.0:​metadata">​
 +  <​SPSSODescriptor protocolSupportEnumeration="​urn:​oasis:​names:​tc:​SAML:​2.0:​protocol">​
 +    <​KeyDescriptor use="​signing">​
 +      <​ds:​KeyInfo xmlns:​ds="​http://​www.w3.org/​2000/​09/​xmldsig#">​
 + <​ds:​X509Data>​
 +   <​ds:​X509Certificate>​
 +Base64 encoded CSOD certificate
 +     </​ds:​X509Certificate>​
 +   </​ds:​X509Data>​
 +      </​ds:​KeyInfo>​
 +    </​KeyDescriptor>​
 +    <​AssertionConsumerService Binding="​urn:​oasis:​names:​tc:​SAML:​2.0:​bindings:​HTTP-POST"​ Location="​https://​mycompanyid.csod.com/​samldefault.aspx"​ index="​1"​ />
 +    <​NameIDFormat>​urn:​oasis:​names:​tc:​SAML:​1.1:​nameid-format:​emailAddress</​NameIDFormat>​
 +  </​SPSSODescriptor>​
 +</​md:​EntityDescriptor>​
 +</​file>​
 +
 +<note important>​Change **mycompanyid** (in ''​AssertionConsumerService''​ markup, parameter ''​Location''​) into your CSOD company ID and put the certificate value inside the ds:​X509Certificate markup</​note>​
 +
 +
 +==== CSOD control panel ====
 +
 +CSOD needs two things to configure LL::NG as an IDP:
 +  * Certificate
 +  * SAML assertion
 +
 +=== Certificate ===
 +
 +See [[..:​samlservice#​security_parameters|SAML security parameters]] to know how generate a certificate from you SAML private key.
 +
 +=== SAML assertion ===
 +
 +You need to use the IDP initiated feature of LL::NG. Just call this URL:
 +<​code>​
 +https://​auth.example.com/​saml/​singleSignOn?​IDPInitiated=1&​sp=mycompanyid.csod.com
 +</​code>​