Setting up SSO with SAML 2.0 on H5P.com simplifies user access, replacing traditional login methods. Note that SSO is separate from LTI. H5P.com doesn't manage user accounts; authentication and user data are handled by the identity provider (IdP).
For detailed guidance on using Okta as an Identity Provider (IdP) for SAML 2.0 SSO, refer to the article: Use Okta.com as an Identity Provider for H5P.com SAML 2.0 SSO.
Prerequisites
In order to configure Single Sign-On for your organization, there are a few prerequisites:
- The SSO feature is not enabled by default. Reach out to your sales and customer success representative or sales@h5p.com to have this feature enabled. As long as you are on standard rates or enterprise there is no extra charge to access SSO.
- You must have your own SAML 2.0 compliant Identity Provider (IdP) and the necessary permissions and know-how to configure a "relying party trust" (configuring your IdP to allow users to sign into h5p.com)
- Your Identity Provider must have a publicly available SAML XML metadata endpoint with a valid HTTPS certificate
Known limitations and considerations
- Only Service Provider (SP) initiated login is supported. This authentication flow is triggered when a user visits <your-organization>.h5p.com.
- User accounts are not created automatically (subject to change). The typical use case is to have users first sign in via LTI to have their user account automatically provisioned.
- When SAML 2.0 login is enabled for your organization, you can still log in as an administrator via the /login/introduce path using your email and password. You can disable email and password login in security settings.
Overview of the setup process
When H5P.com enables SAML for your organization your administrators will find the SAML-related settings under "Manage organization" -> "Settings" -> "Single Sign-on (SAML)". The steps involved in configuring Single Sign-On using SAML 2.0 are these:
- You provide the URL to your Identity Provider's XML metadata, and the SAML attribute name used for email
- Some values will be generated for you, that you use to configure your Identity Provider
- You enable SAML 2.0 login for your organization
- Verifying that it works
Part 1: Providing initial configuration values
Step 1: Log in to H5P.com as an admin user with your e-mail address as user name and your password.
Step 2: Go to Manage Organization
Step 3: Go to "Settings" and expand the "Single Sign-On (SAML)" panel
If you don't see this settings panel, it means the feature is not enabled for your organization. Please reach out to your contact person.
Step 4: Provide the requested values
- For the "Identity Provider Metadata XML URL" field, enter the public URL for your IdP's metadata.
- For the "Attribute Mapping Email" field, enter the name of the SAML attribute that will contain the user's email address. This is the only attribute we need, and it is used to find the user's account when they sign in.
- Click Save Settings at the bottom of the page.
Part 2: Configure your Identity Provider
Re-open the Single Sign-On (SAML) settings panel and you will find some values that you will need in order to configure your identity provider.
The exact steps for configuring your Identity Provider depends on the software used. Popular solutions are Microsoft's commercial products Azure AD (cloud-based) or Active Directory Federation Services (ADFS, on-premise), or the open-source Shibboleth, but your organization may be using something entirely different. We do not currently provide guides for configuring specific Identity Providiers at this time, but we may add those in the future.
Part 3: Enable SAML 2.0 login for your organization
After having configured your Identity Provider, in the Single Sign-On (SAML) settings panel for your organization, enable SAML 2.0 login for your organization by checking the checkbox and then hitting Save Settings.
Part 4: Verifying that it works
You are most likely already signed into your organization, so the most convenient way to test Single Sign-On is to open a new private tab in your browser. Alternatively, you must sign out of your current session first.
Next, navigate to https://<your-organization>.h5p.com, and you should be immediately redirected to your Identity Provider's login page.
Now, if you can, try to sign in using your own account that matches the email address of your existing H5P.com administrator user account. If the login is successful, you should be redirected back to your organization's content list.
You can also try to sign in using any other account, and then the expected result is that you will end up on an error page stating "User account not found. Please ask your H5P.com administrator to create one that matches your email".
In order to grant this user access, manually add them via Manage Organization > Users, and then try to initiate single sign-on again by navigating to https://<your-organization>.h5p.com