Direct access
By default, the Unicorn LMS provides a Forms Authentication feature enabling Users to login to a site using a username and password.
Usernames are unique to the Unicorn LMS client installation and can be alphanumeric or an email address.
Passwords can be stored in a one-way hash or encrypted depending on whether password retrieval is permitted and required.
Password rules are configurable to include minimum length, number of alphanumeric characters, number of login attempts and ability to define a regular expression to set specific format rules.
The advantage of this access option is that no specific configuration is required to log into the Unicorn LMS. A disadvantage is that the User’s password is unique to the Unicorn LMS and has to be managed separately by the User.
For the single sign-on approaches listed below, the User does not need to maintain separate passwords but configuration is required to enable these alternative authentication mechanisms.
Single sign-on
Single sign-on allows a User to navigate to the Unicorn LMS from another client site (e.g. the User’s Intranet site) without having to log into the Unicorn LMS explicitly. The User must already be authenticated within their own site. This allows fluid transition between the client’s site and the Unicorn LMS.
The Unicorn LMS supports the following types of single sign-on:
Shared key SHA Hash token
This mechanism involves the client server generating a hash of the unique identifier (e.g. login or employee ID) using a shared secret and a time stamp. On receiving the request, the Unicorn LMS also generates a hash value based on the details and the shared secret. If the two match and the timestamp is within the required window, then the User is authenticated.
SAML integration
The Security Assertion Mark-up Language (SAML) is an XML-based standard for exchanging authentication and authorisation data between security domains, that is, between an identity provider and a service provider. SAML is a product of the OASIS Security Services Technical Committee.
The service provider relies on the identity provider (client) to identify the principal. At the principal's request, the identity provider passes a SAML assertion to the service provider (Unicorn LMS). Based on the SAML assertion, the Unicorn LMS can then authenticate the User.
Same sign-on
Same sign-on is a mechanism by which a User arrives at the Unicorn LMS login page but enters the same credentials as they would for their client system (e.g. their Intranet login credentials).
When these credentials are entered into the Unicorn LMS login page they are passed to a client web service to authenticate. The client system responds with an authentication response which allows login to the Unicorn LMS if authentication is.
The advantage of this login mechanism is that the User only has a single username and password for their client system and for the Unicorn LMS.
Note that:
- It is possible to have a mix of Same Sign-on and Forms Authenticated Users within the Unicorn LMS if required.
- SAML integration also provides a same sign-on mechanism.
Shared key SSO implementation
In order for Shared Key SSO to be used, the client site must:
- Implement a hashing mechanism which conforms to the technical details outlined below;
- Provide a mechanism whereby the above hash is constructed when the User navigates to the Unicorn LMS (e.g. when a link is clicked by the User on their Intranet site).
The Single Sign-on authentication process must use the SHA Algorithm to produce a hash key from a string containing details of the User’s login request. SHA is a widely used cryptographic hash function. As an Internet standard, SHA1 (RFC3174), SHA2 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files.
We recommend the highest level of SHA algorithm you can accommodate. We support SHA1, SHA256, SHA384 and SHA512.
The string used for the SHA algorithm is being constructed from three parameters:
- A standard key called the “Shared Secret” which is known to Unicorn and the client
- A UTC timestamp in the following format yyyyMMddHHmmss. If the timestamp is not UTC, then login is likely to fail due to time zone or daylight saving time differences between the client site and the Unicorn LMS.
- A string representing the unique Employee ID (or other agreed unique key)
- Optional redirect URL (to redirect to post-login – i.e. to a particular page within the Unicorn LMS)
The first three values must be concatenated into a single string which is then passed into the specified encryption algorithm to produce the hash key.
The website link used for the single sign-on navigation must contain information about the timestamp, the unique ID and the hash key in order to identify the User and log them in.
For example:
- Shared Secret: A61FFE2LR4SF9GS5YH4CKS3LAOR34EWRLIJ65DSFL7AK
- Timestamp: 20100101095600
- Unique ID: employeeid1
Concatenating the above values produces the following string:
- A61FFE2LR4SF9GS5YH4CKS3LAOR34EWRLIJ65DSFL7AK20100101095600employeeid1
Running the SHA256 algorithm for example with the above string as input, will produce the following output (which is called the 'hash key'):
- 11765783d7b91530d268fcf99eded2ee07dd5464aafdc26b5ceec9ddd25d18d8
The URL the User is redirected to will be similar to this example:
- http://xxx.yourskillsservesite.com/sso/login?ts=20100101095600&gci=employeeid1&h=11765783d7b91530d268fcf99eded2ee07dd5464aafdc26b5ceec9ddd25d18d8&redirect=/home
Note: For security reasons, the Shared Secret should not be exposed on the website - the hashing function should execute server-side. The above URL is an example. When the above URL is hit, the Unicorn LMS will concatenate the employee ID and timestamp and combine it with the shared secret. It will then hash that value and compare it with the hashed value sent in the link.
If they match, then the User is considered to be trusted and therefore authenticated.