LinkedIn Learning SSO via ADFS Configuration Guide

  • Article

ADFS Overview

This document outlines the necessary steps for LinkedIn Learning administrators to set up Single Sign-on with ADFS 3.0. This guide also describes troubleshooting steps for common issues in the SSO-ADFS configuration.

What this Document Tells You

The following steps outline the SSO-ADFS configuration process:

linkedin-learning-sso-adfs-flow-diagram

Download Service Provider Metadata from LinkedIn Learning

  1. After you log in, if you are not already in the Admin screen, select Go to Admin, then select Me > Authenticate.

    linkedin-learning-authenticate-navigation-screen

  2. From the side navigation menu, select Configure single sign-on and click Add new SSO.

    linkedin-learning-sso-panel-settings-screen

  3. Click Add new SSO and select "SAML".

    linkedin-learning-add-saml-sso-screen

  4. In the Authenticate users with SAML SSO screen, under Identity provider settings, click Download.

    linkedin-learning-idp-sso-download-screen

  5. LinkedIn Learning downloads the SP metadata as an XML file. You need this file for the next section.

Add Relying Party Trust

  1. In ADFS, navigate to Trust Relationships > Relying Party Trusts. You should see the previously-added relying party trusts.

  2. In the right hand column, select "Add Relying Party Trust".

    adfs-add-relying-party-trust-screen

  3. In the left-hand side navigation, click Select Data Source, then choose “Import data about the relying party from a file” and select the SP Metadata file downloaded from LinkedIn Learning.

    adfs-import-data-screen

  4. Select Specify Display Name, then in the Display name field, enter a display name (i.e., "LinkedIn Learning").

    adfs-display-name-screen

  5. Select Configure Multi-factor Authentication Now?, then select "I do not want to configure multi-factor authentication settings for this relying party trust at this time".

    adfs-config-multi-factor-auth-screen

  6. Select Choose Issuance Authorization Rules, then select "Permit all users to access this relying party".

    adfs-issuance-rules-screen

  7. Select Finish, then select "Open the Edit Claim Rules dialog for this relying party trust when the wizard closes", then click Close.

    adfs-edit-claim-rules-screen

  8. In the Issuance Transform Rules tab, select Add Rule..., then click OK.

    adfs-add-issuance-rule-screen

  9. In the Add Transform claim Rule Wizard window, select Choose Rule Type.

  10. Select “Send LDAP Attributes as Claims” from the dropdown, then click Next.

    adfs-ldap-attribute-values-screen

  11. Select Configure Claim Rule, then enter a name in the Claim rule name field.

  12. Select “Active Directory” in the Attribute Store dropdown.

  13. Choose your mappings. We recommend the values shown below, but you can select the values that align with your organization's needs.

    Important

    For authentication to be successful, you must map a unique identifier to the Name ID claim type. Linkedin Learning uses this value to identify users and should be unique and unchanging, like an Employee ID or a UPN.

    adfs-attribute-values-screen

    Note

    You can create additional claim rules such as "Job Title" or "Department" for reporting or grouping purposes.

  14. Click Finish and OK on the next screen.

Install the Certificate

  1. In ADFS, go to the Properties of the Relying Party Trust you just created and click the Signature tab. Double-click the certificate. If the window looks like this, skip to the next section.

    adfs-install-certificate-screen

    If the above window does not appear, install the certificate.

  2. Click Install Certificate… to open the wizard.

  3. For Store Location, choose "Local Machine".

    adfs-local-machine-cert-install-screen

  4. Click Next.

  5. On the next screen, choose "Place all certificates in the following store" and click Browse.

    adfs-cert-store-values-screen

  6. Choose "Trusted Root Certification Authorities".

    adfs-cert-store-screen

  7. Click OK and then Finish. Your Certificate window should now look similar to the one above.

Set Secure Hash Algorithm

  1. On the properties of the Relying Party Trust you created, go to the Advanced tab.

  2. In the Secure Hash Algorithm section, choose either "SHA-1" or "SHA-256".

Important

LinkedIn Learning defaults to "SHA-1". If you select "SHA-256", make sure you also choose "SHA-256" when completing the configuration in LinkedIn Learning.

adfs-secure-hash-algorithm-screen

Configure SAML SSO

To configure SAML SSO in ADFS and LinkedIn Learning, take the following steps:

  1. In ADFS, navigate to the Endpoints tab.

  2. Open the SP Metadata XML file you downloaded from LinkedIn Learning, locate the AssertionConsumerService URL, and paste it in the Endpoint. For example: https://www.linkedin.com/checkpoint/enterprise/saml/1234567?application=learning&appInstanceId=1234567&authModeId=1234567

This field maps to the Assertion Consumer Service URL, where a SAML response sends a "POST" via the user agent. In other words, you (the admin) trigger the IdP-initiated flows by sending the response to this endpoint.

Upload ADFS Metadata to LinkedIn Learning

  1. Download your ADFS metadata using the following format (replace your.adfsserver.com with your server name): https://your.adfsserver.com/FederationMetadata/2007-06/FederationMetadata.xml.

  2. Save the XML file to your computer.

  3. In the Authenticate users with SAML SSO screen, select SSO settings.

  4. Click Upload XML file.

    adfs-upload-metadata-file-screen

  5. Select the ADFS metadata XML file you downloaded.

  6. If you selected SHA-256 when configuring your relying party trust in ADFS, select the same value for Authentication Request Signing Algorithm. If you did not select SHA-256, leave the SSO options as the default values.

  7. Click Save.

  8. Toggle the connection to Active.

adfs-sso-status-toggle-screen

Trigger the IdP-Initiated Authentication Flow

To test Identity Provider-initiated SSO, use the following format (replace your.adfsserver.com with your server):

https://your.adfsserver.com/adfs/ls/IdpInitiatedSignOn.aspx

Trigger the SP-Initiated Authentication Flow

  1. First, locate your Account ID from the URL in the browser where you configured SSO. Example: https://www.linkedin.com/learning-admin/settings/global?account=1234567

  2. To create the Service Provider-initiated URL, use the following format: https://www.linkedin.com/checkpoint/enterprise/login/[accountid]?application=learning Example: https://www.linkedin.com/checkpoint/enterprise/login/1234567?application=learning

Note

If your LinkedIn Learning account has LinkedIn Profile binding enabled, you may be prompted to log in to LinkedIn after successful SSO authentication. This login is used to associate your LinkedIn Learning login with your personal LinkedIn account in order to drive content recommendations. If you have any questions about this prompt, contact your dedicated LinkedIn Learning Customer Success Manager to learn more.

linkedin-login-screen-screen

Congratulations! Your learners now can authenticate to LinkedIn Learning using ADFS.

Support

Below you can find supporting documentation and other resources.

Supporting Documentation

Technical Issues

If you have technical issues with the SSO setup, contact your account team or application support team through the LinkedIn Learning Help Center.

LinkedIn's Privacy and Data Security Policy

https://www.linkedin.com/legal/privacy-policy

LinkedIn Security Contacts

If you have any security questions or you would like to report a security issue, write to us at security@linkedin.com.

Back to Top