The SAML 2.0 implementation within LearningStudio supports two primary use cases for which both are described in detail below:
USE CASE #1 - LearningStudio Campus Access Through Federated Services
In this scenario a user attempts to access the LearningStudio portal directly from the eCollege hosted public campus without being logged on. The user has an account in LearningStudio and a federated account managed by the institution. PingFederate sends an authentication request to the institution's identity provider ("IdP"). Both the request and the returned SAML assertion are sent through the user’s browser via HTTP POST.
- User clicks on link to access LearningStudio.
- PingFederate sends Authentication Request to the user’s browser that is immediately posted to the IdP to request SSO service.
- The IdP authenticates the user.
- The IdP will determine if the user has an open session. If not, a logon screen is presented.
- The user logs in with their valid credentials.
- The IdP validates user credentials against the user store.
- The IdP send SAML Response to the users browser that is immediately posted to PingFederate to request Assertion Consumer Service.
- PingFederate uses OpenToken adapter to send token to the user’s browser and request the portal launch.
- A new service is needed to launch the portal using the OpenToken. The existing service only works with course launch and requires a call number.
- User is given access to portal and course list.
USE CASE #2 - LearningStudio Course Access Through Federated Services
- User clicks on a link within their course list on their university hosted portal.
- Steps 1 through 3 can vary depending on portal and IdP configuration.
- The portal request the SSO service from the IdP.
- The IdP gathers any additional attributes needed for course launch. For LearningStudio course launch, the username, client string (campus identifier), and call number (course identifier) are required.
- The IdP send SAML Assertion to the users browser that is immediately posted to PingFederate to request Assertion Consumer Service.
- PingFederate uses OpenToken adapter to send token to the user’s browser and request the course launch. The username, client string, and call number are extracted from the assertion and included in the token.
- User is given access to their course.
Note: For Use Case #2, the IdP must have the ability to pass the LearningStudio CallNumber in the successful assertion to be able to identify the course to be launched.