Cornerstone On Demand

CornerStone On Demand (CSOD) allows to use SAML to authenticate users. It works by default with IDP intiated mechanism, but can works with the standard SP initiated cinematic.

To work with LL::NG it requires:

  • An enterprise account
  • LL::NG configured as SAML Identity Provider
  • Registered users on CSOD with the same email than those used by LL::NG (email will be the NameID exchanged between CSOD and LL::NG)

You should have configured LL::NG as an SAML Identity Provider,

Now we will add CSOD as a new SAML Service Provider:

  1. In Manager, click on SAML service providers and the button New service provider.
  2. Set csod as Service Provider name.
  3. Set Email in Options » Authentication Response » Default NameID format
  4. Select Metadata, and unprotect the field to paste the following value:
<md:EntityDescriptor entityID="" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="">
Base64 encoded CSOD certificate
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="1" />
Change mycompanyid (in AssertionConsumerService markup, parameter Location) into your CSOD company ID and put the certificate value inside the ds:X509Certificate markup

CSOD needs two things to configure LL::NG as an IDP: * Certificate * SAML assertion


For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button Download this file):

After choosing the file name (for example lemonldapn-ng-priv.key), download the key on your disk.

Then use openssl to generate an auto-signed certificate:

openssl req -new -key lemonldap-ng-priv.key -out cert.csr
openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem

SAML assertion

This is quite difficult to have because LL::NG only send SAML assertions when it receives an SAML request, and CSOD will only send an SAML Request when configured.

The only solution is to simulate an SAML Request on LL::NG. It requires to disable signature verification in the CSDO SP configuration.

After that, you can create your own SAML Request:

<AuthnRequest xmlns:xsd=""
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"></Issuer>
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
    <Conditions NotBefore="2013-01-31T23:22:32.515738Z"
Change mycompanyid (in AssertionConsumerService markup, parameter Location) into your CSOD company ID, update all dates and update the URL in Destination

Encode it into base64 and send it to LL::NG as a GET request:

With the network tracer of your browser, you can get the POST response and extract the SAML assertion.