Why is User Profile mapping required?
If you wish to enable candidates to get access to their activities from both LMS and Inspera using their SSO logins (Google, MS or any other), a user profile mapping needs to be done to recognise that the user is the same across two platforms. Users are mapped across both platforms using custom parameters. This ensures that user information is consistent and accurate across the LMS and Inspera platforms and the system can correctly identify users in different applications, maintaining a seamless experience.
What happens when custom parameters are not configured in LMS?
If the user is not mapped, then SSO login to Inspera for the LMS users will generate a different (new) user in Inspera. Consequently, the user may not be able to see their assessments / data. The LMS user will be able to access their assigned assignments, while the Inspera candidate won't find any assignment, as they represent two distinct users.
How to configure the custom Parameters for user mapping (SSO)
The following is a sample configuration for different SSO systems.
External user id = Emailid
- username_resolver=BY_EMAIL
- lti_authtype=LTI
Refer to the subsequent section for details
Sample scenario for Generic SAML
- Login to your Inspera portal using SSO to check externalUserId mapping field in the saml-assertion. The same field will need to be mapped as externalUserId from Inspera and the LMS. Use a test user to identify the email address attribute from the SAML token.
- In the Developer debugging window, get the SAML response for the assertion
https://{domain}/saml/endpoint/assertion
- Decode the SAML response using any SAML tool. The Decoded version should be similar to the following
- We accept ‘urn:oid:1.3.6.1.4.1.5923.1.1.1.6’ name or the friendly-name 'eduPersonPrincipleName' as the default attribute-name for holding the externalUserId in the SAML response. (SAML field reference)
- If eppn (eduPersonPrincipleName) is not available in the SAML response, you will need to add this to attributelist in SAML configuration. This is the field that will be used for mapping the user across both the platforms - LMS and Inspera.
- By default, Inspera accepts eppn as externalUserId. If you want to use another attribute, you need to inform Inspera during the SAML setup.
- If we can identify an attribute within the SAML assertion that contains the email address, and then combine it with lti BY_EMAIL username_resolver. This will work if externalUserId is the same in Inspera and LMS. Using eppn with BY_EMAIl only works if eppn is holding the same email-address as registered in the LMS.