LinkedIn Learning Single Sign-On (SSO) Implementation Guide

  • Article

What this Document Tells You

The following steps outline the LinkedIn Learning SSO implementation process:

sso-implementation-flow-chart

SSO Implementation Overview

The administrator for your organization account can configure your company to authenticate to LinkedIn Learning using SSO through integration with LinkedIn's enterprise platform.

Prerequisites

  • Your company email account
  • Full administrator privileges
  • Identity Provider (IdP) administrative privileges

About Single Sign-On (SSO)

Enterprise Single Sign-On (SSO) allows your company's employees to sign into supported LinkedIn applications using their corporate credentials instead of their LinkedIn credentials.

Using SSO and integrating with an SSO provider is not required to use LinkedIn applications. If SSO is not configured, your employees can authenticate themselves using their current personal LinkedIn credentials or create a new member account.

Why you Should Use Single Sign-On

  • Leverage your existing company's authentication
  • Better security when employees use your company's established password protocols rather than their individual accounts
  • Easier user management when employees leave your company

Supported SSO Protocols

We currently support SAML version 2.0, LTI 1.0 and 1.1, and Google SSO.

Configuring Single Sign-On (SSO)

To configure your LinkedIn Learning SSO, take the following steps:

Getting Started with SSO

To get started with your SSO configuration, take the following steps:

  1. After you log in, if you are not already in the Admin screen, select Go to Admin > Me > Authenticate.

    authenticate-navigation-screen

  2. From the side navigation menu, select Configure single sign-on and click Add new SSO.

    add-sso-method-screen

  3. Select an SSO method (in this case, "SAML").

    select-sso-method-dropdown

  4. Give your SSO connection a name.

    add-sso-name-screen

  5. Click Next and follow the instructions here.

  6. Under SSO settings, select your SSO options.

  • Sign AuthnRequest:

    • Yes

    • No (default)

  • SAML Request Binding:

    • HTTP-Redirect (default)

    • HTTP-Post

  • Include Assertion Consumer Service URL:

    • Yes

    • No (default)

  • Authentication Request Signing Algorithm:

    • SHA1 (default)

    • SHA256

  • AuthnContextClassRef – If you do not specifically know which value to use, leave "Don't send this value (default)".

  1. Click Save.

    sso-settings-options-screen

Connecting to your Identity Provider

If your identity provider supports loading metadata, you can download an XML configuration file to send them, which they can then upload to configure their settings for connecting to LinkedIn Learning.

Determine if you can download a metadata file or if you need to work with individual fields, then follow one of the procedures in the next sections.

Downloading a File

To configure your IdP via a metadata file, take the following steps:

  1. From within the Identity provider settings tab, click Download file to download a metadata file you can use with your Identity Provider system. The metadata.xml file downloads to your computer.

    download-metadata-file-screen

  2. Access your Identity Provider system.

  3. Upload the metadata file.

    Note

    You may not be able to import this file into your Identity Provider. For example, Okta does not have this functionality. If this case matches your configuration requirements, continue to Working with Individual Fields.

  4. Click Next.

For more information, see Configuring your Identity Provider.

Working with Individual Fields

To configure your IdP in the LinkedIn Learning application interface's individual fields, take the following steps:

  1. From the Identity provider settings tab, click Load and copy information from fields.

    sso-individual-fields-screen

  2. Copy and paste the fields you want to include.

  3. Click Next.

Configuring your Identity Provider

Configure your Identity Provider to talk with LinkedIn's platform. Determine if you can upload a metadata file from your Identity Provider or if you need to enter values manually, then follow one of the procedures in the following sections.

Uploading a File

To configure your SSO via .xml file upload, take the following steps:

  1. After you log in, if you are not already in the Admin screen, select Go to Admin, then click Me > Authenticate.

  2. Select Configure single sign-on.

  3. Click Add new SSO.

  4. Select your SSO protocol (see above).

    add-new-sso-for-idp-screen

  5. Click Download. A metadata.xml file downloads LinkedIn Learning's metadata to your computer.

  6. Click Next.

    metadata-file-screen

  7. From the SSO settings box, click Upload XML file to add the metadata file from your identity provider.

    upload-xml-file-screen

  8. Navigate to the downloaded file, select it, and click Open. If successful, the fields appear filled with the metadata.

Entering Values Manually

To manually configure your SSO, take the following steps:

  1. From within the SSO settings tab, select the Manually enter values radio button to manually add the data.

  2. Enter the data in the following fields:

  • Issuer String or Entity ID: must match the md:EntityDescriptor entityID field.

  • Budget group: Choose the default option or leave blank.

  • IdP redirect endpoint: must match the md:SingleSignOnService location field. Note: LinkedIn currently supports only the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect binding.

  • SAML Subject Identity attribute name: This is the attribute name in the SAML authentication response used to identify the employee. LinkedIn uses the following rules to identify the employee:

    • If the SAML Authentication response provides a SAML assertion containing a set of attributes, you can provide the SAML attribute name of the attribute containing the employee's identity in this text field. For example, if an integer employeeId is sent in a SAML attribute called employeeId, you could insert employeeId into the SAML Subject Identity attribute name field, and LinkedIn uses the employeeId sent in each assertion to look up the employee identity.

    • If nothing is specified in this field, LinkedIn looks up the employee by the value of the NameId sent in the <saml:Subject>. This field must be a unique ID. If this value is not an email address, it is highly recommended that you provide email address as an additional attribute.

    • If we cannot find the user by either the attribute set in the SAML Subject Identity attribute name field or by the unique identifier, as set in the NameId in the <saml:Subject>, LinkedIn does not authenticate the user. If automatic license provisioning is enabled and the user is not found, a new user profile is created using this value.

    • Public certificate: LinkedIn verifies the validity of the SAML assertion sent in the SAML authentication response using the x.509 certificate used for signing by your identity provider. If we cannot validate the signature of the authentication response, your user is not authenticated.

      enter-values-manually-screen

  1. Click Save.

Enabling Single Sign-On

After you have completed your configuration, enable SSO by selecting "Active" from the SSO Status drop down. See the Enable Options table below for information about when to use the available options.

enable-sso-options-screen

Enable Options

Status Description
Inactive
  • No SSO implementation setup required.
  • Users can sign in to assigned licenses with their LinkedIn-based logic.
    		•
    Pilot mode (Idp only)
    • SSO is set up and configured.
    • Pilot mode enforces SSO for IdP-initiated flows for employees give access through the IdP, but still allows normal LinkedIn-based sign in for SP-initiated flows. It does not require users to authenticate through the IdP to sign in. They can access the application directly through LinkedIn.
    • This mode is useful when configuring SSO for the first time, but should not be used once testing is complete.
    • When SSO is in Pilot mode, new users cannot be added. This should only be used temporarily by the SSO admin while actively testing.
    Active
  • SSO is set up and enabled.
  • Users must sign in through the IdP-initiated flow or SP-initiated flow (unless IdP only supports IdP-initiated flow, in which case they do not have SP-initiated). Regardless of which method is used, authentication is required.
    		•
    Warning When you select "Active" after initial setup, do not close the window until you are sure SSO is working properly; otherwise, you need to contact customer support to disable SSO on your account. We recommended that you use the Pilot option to validate your IdP-initiated flow before setting your SSO to "Active".
    • IdP-Initiated Flow: When a user starts in their Identity Provider (such as Okta, Azure, or Ping) to access an application.
    • SP-Initiated Flow: When a user goes directly to LinkedIn Learning (service provider) to access their license.

    Assigning Licenses

    Once you have enabled SSO, you can automatically assign licenses to your employees by toggling Automatically assign licenses to "On". When you enable this option, users are automatically granted a license when they are authenticated for the first time.

    To automate the assignment of licenses, take the following steps:

    1. Click the "More Options" ("...") icon and select "Edit".

    2. Set the Automatically provision licenses toggle to "On".

    3. Click "Save".

      automatically-assign-licenses-toggle

    Note

    If you do not enable this option, an admin must add users manually in the People tab. LinkedIn Learning identifies users by their email address. When you enable this option, a new user profile is automatically created upon authentication if we are unable to locate an existing user with a matching identifier.

    NameID (field)

    By default, LinkedIn Learning uses the value sent in the SAML response's NameID field as your user's unique identifier.  This value can be whatever value your service providers commonly use. Note that if you are planning on using a learning management system (LMS) that has a partnership integration with LinkedIn Learning, you may need to send LinkedIn Learning a specific SSO identifier. This identifier must match your users' LMS identifiers and allow LinkedIn Learning to send reporting messages to your LMS.

    Requirements for Automatically Assigning Licenses

    One reason SAML 2.0 has become so popular is its flexibility when sending extra information to the service provider. When an identity provider sends an assertion, it includes attributes describing the user. These attributes allow LinkedIn to both identify the user and automatically provision users. A few of the possible attributes are described in this section.

    EmailAddress can be used to identify users with or without SSO. Although email addresses are allowed as the users' main identifier, we do recommend using an employee ID or some other unique value that does not change and including Email as an additional attribute.

    Identity providers use different naming conventions, so LinkedIn looks for an email address in the following attribute names sequentially:

    • EmailAddress
    • email
    • Email
    • Mail
    • emailAddress
    • User.email

    If your identity provider uses a different naming convention, you can configure it in the following section.

    First Name (Optional)

    Just like email addresses, identity providers might send the first name in several common fields. To provide out-of-the-box compatibility with most identity providers, LinkedIn tries to find the first name in the following attribute names:

    • FirstName
    • first_name
    • firstname
    • firstName
    • User.FirstName

    Last Name (Optional)

    LinkedIn looks for the last name in the following attribute names:

    • LastName
    • last_name
    • lastname
    • lastName
    • User.LastName

    Custom Attributes

    You can specify custom name mappings to correspond to IdP settings (rather than using the default mappings). Enter your custom attribute name and select the attribute to map it to.

    To add custom attributes via SSO, take the following steps:

    1. Go to Me > Authenticate > Automate user management.

    2. Select Custom Attributes.

      custom-attributes-panel

    3. Click Add Attribute. A drop-down menu appears called "Attribute Name".

      add-custom-attribute-screen

    4. Select an appropriate attribute name ("Primary Email address", for example) from the menu or select "Custom name" and enter your own attribute name.

      Note

      To auto-group learners by the attribute name you selected, click the Assign groups checkbox.

    5. Click Save.

      attribute-value-screen

    6. On the attribute you just created, click Add Mapping.

      add-custom-attribute-mapping-screen

    7. Select an SSO connection for the mapping.

    8. Under "Map to SSO attribute name," input the attribute name as it exists in your SAML response. Use the actual attribute name as it appears in the SAML response, not the friendly name.

    9. Click Save.

      add-mapping-to-attribute-screen

    The following name are some of the standard labels that you can map to custom, user-provided attributes.

    • Building Code

    • Department

    • Desk Location

    • Job Function

    • Job Level

    • Manager (plain text only, i.e., "manager")

    • Mobile Phone Number

    • Primary Email Address

    • First Name

    • Last Name

    • Worker Status (Active or Inactive)

    • Worker Type (Employee, Contractor or Other)

    • Work Title

    • Work Phone Number

    For more information on SSO custom attributes, click here.

    Verifying your Setup

    Verify that you've correctly integrated with your Identity Provider and have the following in place:

    • SSO is enabled and set to "Active".

    • A LinkedIn Learning application is configured in your Identity Provider as previously instructed.

    • The LinkedIn Learning application configured in your IdP has been provisioned to the appropriate users.

    • A SAML Subject NameID value is sent in the SAML response or a SAML Subject Identity has been defined in the Configure the LinkedIn service provider SSO settings to use an alternate attribute name as the identifier.

    Test using the following logins:

    • Your identity provider-initiated login

      • Launch LinkedIn Learning directly from your Identity Provider.

    • Service provider-initiated login

      • First, locate your Account ID from the URL in the browser. Example: <https://www.linkedin.com/learning-admin/settings/global?account=2108666>

        • To create an SP-initiated URL, use the following format: <https://www.linkedin.com/checkpoint/enterprise/login/accountid/?application=learning>
          Example: <https://www.linkedin.com/checkpoint/enterprise/login/2108666?application=learning>
        • This SP-initiated URL can be used to activate new users if automatic license provisioning is enabled.

    • If you have already connected your personal LinkedIn profile to LinkedIn Learning, navigate to <https://www.linkedin.com/learning/login> and log in with your LinkedIn credentials. You should be directed to your IdP for authentication and then redirected back to LinkedIn Learning.

    Note

    If you have associated your LinkedIn profile to LinkedIn Learning, but don't have a live LinkedIn session in your browser, you may be prompted to log in to LinkedIn with your personal credentials after authenticating via SSO. This is separate from SSO and does not mean SSO is broken.

    Configuring Multiple SSO Connections

    LinkedIn Learning supports multiple SSO connections to allow for Test-QA connections or multiple Identity Providers. To create a new SSO connection, take the following steps:

    1. Open the Single Sign-On (SSO) panel and click "Add new SSO."

      add-sso-screen

    2. Give your new SSO connection a name. Do not include spaces.

    3. Follow the same steps as above to configure and enable your new SSO connection. Make sure to switch the connection to "Active" and select "Activate" in the pop-up.

      sso-activate-screen

    4. If this connection should be the default authentication method, select "Set as Default." If not, you need to create a specific SP-initiated URL to authenticate to LinkedIn Learning.

    configure-multiple-sso-screen

    Note

    When you use multiple SSO connections, you must make one the default connection. Use the default connection for any LMS integrations.

    Creating your SP-Initiated URL

    When using multiple SSO connections, you need to create a special SP-initiated URL for each non-default connection. To generate this URL, take the following steps:

    1. First, locate your Account ID from the URL in the browser. Example: https://www.linkedin.com/learning-admin/settings/global?account=2108666

    2. To create the SP-initiated URL, use the following format: https://www.linkedin.com/checkpoint/enterprise/login/accountid/?application=learning&authModeName=SSO_Connection_Name

    • Example: https://www.linkedin.com/checkpoint/enterprise/login/2108666?application=learning&authModeName=OneLogin-Attribute_test

    • This SP-initiated URL can be used to activate new users if automatic license provisioning is enabled.

    Using Multiple Authentication Methods

    LinkedIn Learning uses multiple authentication methods to determine whether a learner should have access to its platform.

    LinkedIn Learning currently supports three types of Single Sign-On:

    Multi-authentication means that an organization can use a combination of authentication methods based on their needs.

    There are three possible authentication scenarios:

    • "I want one SSO connection, and I want it to apply to everyone."

    • "I want one SSO connection, but some people won't be using SSO."

    • "I want multiple SSO connections, with some people going to one and some going to another."

    To learn more about configuring multiple authentication methods, review the LinkedIn Learning SSO Multiple Authentication Guide document.

    Add an Additional SSO Connection

    To begin setting up multiple authentication methods, you first want to configure a Single Sign-on connection. To add a SSO connection, take the following steps:

    1. From the LinkedIn Learning Admin settings, click Me > Authenticate.

      authentication-navigation-screen

    2. From the side navigation menu, select Configure single sign-on and click Add new SSO.

      add-sso-window

    3. Expand the Single Sign-On (SSO) section.

    4. Click Add new SSO and select SAML.

    5. Follow the instructions described above to enable an additional single sign-on connection.

      add-additional-sso-screen

    Add a LTI Connection

    To add a LTI connection, take the following steps:

    1. From the LinkedIn Learning Admin settings, click Me > Authenticate.

      authenticate-navigation-screen

    2. In the side navigation menu, select Configure single sign-on and expand the Single Sign-On (SSO) section.

    3. Click on Add new SSO and choose "LTI".

      add-lti-sso-screen

    4. Give the SSO connection a name and finish configuring.

    5. Click Generate Keys. (You need this information to enter into your LMS). Click Save.

      lti-sso-screen

    6. Select "Active" from the connection status drop down.

    For more information on adding an LTI connection during your authentication process, review the LinkedIn Learning LTI Implementation Guide.

    If you would like to learn more about using multiple authentication methods on your account, please reach out to your Customer Success Manager for more information.

    Note

    You can allow your learners to use email domain verification as SSO authentication for their LinkedIn Learning accounts. For more information,click here.

    Congratulations! Your learners now can access LinkedIn Learning content through one or multiple Single Sign-On (SSO) methods.

    Support

    Below you can find supporting documentation and other resources.

    Supporting Documentation

    Technical Issues

    If you have technical issues with the SSO setup, contact your account team or application support team through the LinkedIn Learning Help Center.

    LinkedIn's Privacy and Data Security Policy

    https://www.linkedin.com/legal/privacy-policy

    LinkedIn Security Contacts

    If you have any security questions or you would like to report a security issue, write to us at security@linkedin.com.

    Back to Top