This section defines the setup for Single Sign On for End-Users when accessing their training. If you wish to enable the SSO option for administrators when accessing the Command Center, refer to the documentation here.
OutThink supports several different means of delivering training to end-users, including direct web-browser based delivery (“headless”), or delivery via a corporate Learning Management System (LMS). When accessing training directly in a browser, the default configuration is to provide users with seamless access to their training, delivered via unique time-limited hyperlinks. However if desired, end-users can be forced to authenticate with their corporate credentials (single sign on) whenever they access their training in this way.
This article describes how to set up a federation with your identity provider (IdP) supporting the OpenID Connect (OIDC) protocol. When you set up the federation, end-users are forced to use their organizational account to sign in before they can review or complete their training. Examples of OIDC Compatible Identity Providers include Microsoft Entra ID, Auth0, Okta, Google and many others.
1. Setup configuration via the Command Center
Single Sign On for End-Users is configured globally for all organizations in your tenant simulatenously.
Sign-In to the OutThink Command Center and navigate to Settings. Select the root Organization on the left hand side, then switch to the Authentication (SSO) tab on the right.
Switch ON the configuration, and the screen will expand to require fields to be populated under the section Provide the following configuration.
The following explains each of the required fields in more detail. In all cases, consult your Identity Provider help or support documentation for additional information.
| Setting | Details |
|---|---|
| Issuer URL | The complete URL of the OpenID Provider. |
| Client ID | The client identifier, as registered with the OpenID Provider. |
| Client secret | Client secret is used in conjunction with the Client ID to authenticate the client application against the OpenID Provider. |
| Username mapping | An attribute from your IdP that uniquely identifies a user and can be mapped to the username in OutThink. For example, if you entered ${NameID}, we would use the values of this attribute from your IdP as usernames. Check your IdP documentation for the list of attributes. |
| Additional scopes | Scopes are used by an application during authentication to authorize access to a user’s details. Each scope returns a set of user attributes, which are called claims. The default scope required is openid. Add more scopes (comma separated) if needed to obtain the username claim.Note: When your Identity Provider is Microsoft Entra ID, the scope oid is typically required here. |
Once populated, click Save.
Be aware that as soon as you save the new settings, all end-users will be forced to authenticate when accessing training. It is therefore advisable not to change these settings if a campaign is in progress, and to consider making these changes at an off-peak time for your organization.
2. Configure your Identity Provider
You will need to configure your Identity Provider so that it knows how to process authentication requests from OutThink.
Copy the Redirect URL from the same settings screen under the section Copy and paste the following links to your identity provider. Paste the URL at the appropriate configuration screen at your Identity Provider. For details, consult the help or support documentation for your Identity Provider.
3. Test the configuration
It’s important to now test the configuration. This can be done by creating a new test training campaign via the OutThink Command Center. Send the campaign to yourself or an informed colleague.
When the email invitation is received, click the Start now (or equivalent) button or hyperlink.
Your web browser should be launched and redirected to your familiar corporate authentication screen, via the OpenID Connect authentication flow. Be aware that if you already have an authenticated session at your Identity Provider, it may not ask you to re-enter credentials at this time (this is the expected single sign on flow).
At this point, ensure that you are correctly redirected to the Learner Dashboard and the training is available to be completed. If there are errors in the authentication flow, check the settings carefully in both the Command Center and at your Identity Provider.
Was this helpful?
1 / 0