BAI Single Sign-On Instructions

BAI offers a Single Sign-On solution using the SAML 2.0 standard.  Configuration instructions for common Identity Providers are available below:

Active Directory Federation Services

  1. Retrieve the BAI Learning Manager SAML Metadata file from the URL in your web browser: https://lmgr.bai.org/lms-web/sso/saml2
    • Chrome, Firefox, Edge, and IE11 will prompt you to save an XML-formatted file, which will have the default name of lmgr.bai.org_lms-web_sso_saml2.xml
  2. Open the AD FS Management tool
  3. Right-Click on the “Relying Party Trusts” folder, and choose “Add new relying party trust”
  4. Leave the default setting of “claims aware” in the wizard and click “start”
  5. Enter https://lmgr.bai.org/lms-web/sso/saml2 in the metadata URL and hit Next
  6. Enter “lmgr.bai.org” as the display name, and “BAI Learning Manager” as the description
  7. Choose “permit everyone” if all of your users will be using BAI learning manager, or “specific group” if an Active Directory group will be used to control access
  8. Review and Hit “Next” in the wizard
  9. Leave the box “Configure Claims Issuance Policy for this application” checked and hit “Close”
  10. In the “Issuance transform rules” which appears, click on “Add Rule”
  11. Choose “Send LDAP attributes as claims” as the rule type
  12. Enter “BAI_claim_rule” as the claim rule name
  13. Select “active directory” under attribute store
  14. Add new attributes, selecting the following mappings:
    • “Email Addresses” -> “Email Address”
    • “Given Name” -> “Given Name”
    • “Surname” -> “Surname”
    • “Title” -> “Title”
    • “Department” -> “Department”
    • Note: Attribute mappings may need to be different depending on how you import usernames and SSO usernames into BAI Learning Manager; Work with your IT team or call BAI support for assistance
  15. Hit finish and then hit “Add Rule” again
  16. Choose “transform an incoming claim” as the rule type
  17. Enter “BAI_transform_rule” as the rule name
  18. For “incoming claim” Choose “email address”
  19. For “outgoing claim type” choose “Name ID”
  20. For “outgoing Name ID format” choose “email”
  21. Leave “Pass through all claim types” selected
  22. Test with one of the users in the group you specified at https://lmgr.bai.org/lms-web/sso

Azure Active Directory

  1. Download the BAI Learning Manager SAML Metadata file from the URL in your web browser: https://lmgr.bai.org/lms-web/sso/saml2
    • Chrome, Firefox, and Edge will prompt you to save an XML-formatted file, which will have the default name of lmgr.bai.org_lms-web_sso_saml2.xml
  2. Log in to portal.azure.com with a tenant administrator account
  3. Choose Azure active directory from the left menu (or search if it is not in your favorites)
  4. Click Enterprise applications
  5. Click “New Application”
  6. Click “Create your own application”
  7. Give it the name = “lmgr.bai.org”, select “Integrate any other application you don’t find in the gallery (Non-gallery)”, and click “Create”
  8. Under section 2. Set up single sign on, click “Get started”
  9. Click SAML
  10. Click Upload metadata file
  11. Select the file from step 1, lmgr.bai.org_lms-web_sso_saml2.xml, and click Add
  12. Click Save
  13. Note: You may need to edit User Attributes and Claims so that the “name id” field matches the “SSO Username” field in BAI learning manger. These are sometimes different depending on choices made when your Active Directory was created. Often if things do not work with the default claims mapping, changing the nameid field mapping to “user.mail” instead will work. Please contact BAI support if you have questions or problems.
  14. Under section 3 SAML certificates, copy the “App Federation Metadata Url” and send it to the BAI Project Manager assigned to assist with your SAML setup.
  15. Click “Users and Groups” from the left panel. Add the Active directory groups containing users who should have access to BAI learning manager. It is recommended to use Groups instead of adding users individually. Ideally, you can create one group called, for example, “Access-BAI-Learning-Manager” which contains other nested role-based groups of users to grant access.
  16. After you have provided your SAML metadata URL to BAI, they will configure the system to trust that identity provider for your portal. When BAI has confirmed that access is ready, you can test logging in via SAML at https://lmgr.bai.org/lms-web/sso

Google Workspace

  1. Log into your Google administrator account (https://accounts.google.com) and select “Apps.”
  2. Click SAML apps.
  3. Select the Add a service/App to your domain link or click the plus (+) icon in the bottom corner.
  4. Click Setup my own custom SAML App.
  5. Click “Download” to get the IDP metadata. You will need to forward this file to BAI for SAML configuration on the BAI servers.
  6. Click “Next.”
  7. On the Basic Application Information page, add an application name and description.
    • (Optional) Click Choose file next to the Upload Logo field to upload a PNG or GIF file to serve as an icon. The file size should be 256 pixels square.
  8. Click “Next.”
  9. On the Service Provider Details page, enter the following information:
    • ACS URL- https://lmgr.bai.org/lms-web/sso/Acs
    • Entity ID – https://lmgr.bai.org/lms-web/sso/saml2
    • Start URL – https://lmgr.bai.org/lms-web/sso/?portal=[Organization Portal Name]
    • Name ID – Basic Information
    • Name ID Format – Email
  10. Click “Next.”
  11. Click “Finish.”
  12. Return to Apps > Web and mobile apps
  13. Select your new SAML App
  14. Click “User Access”
  15. Click “On for Everyone”, then click “Save”

Okta

  1. Within OKTA, navigate to the developer console.
  2. In the upper left corner, select “Classic UI”
  3. Click the Applications tab, then click “Add Application”.
  4. Click “Create New App”
  5. Make sure “Web” is selected in the drop-down box
  6. Select SAML 2.0 for sign on method
  7. Create and enter a Name for the application (i.e. BAI)
  8. Click “Next”
  9. In “Single sign on URL” enter https://lmgr.bai.org/lms-web/sso/Acs
  10. Deselect “Use this for Recipient URL and Destination URL”
  11. In “Recipient URL” enter https://lmgr.bai.org/lms-web/sso/Acs
  12. In “Destination URL” enter https://lmgr.bai.org/lms-web/
  13. In “Audience Restriction” enter https://lmgr.bai.org/lms-web/sso/saml2
  14. Click “Next”
  15. Select “I’m an Okta customer adding an internal app”
  16. Click “Finish”
  17. This newly created application will need to be assigned to users for them to access it.

Other

If your Identity Provider is not listed above, please Contact BAI Support to confirm your Identity Provider is compatible.