TalentLMS SSO with Azure AD SAML2.0

17 Mar

So I have this issue which I’m hoping you good people can help with.

We use TalentLMS and this is set to use SSO with Azure AD.

Basically, I followed section B of this guide as we use our own domain.

Everything works, except every month without fail the certificate used seems to expire and all users using SSO get an error:

0 /var/www/talent/simplesaml/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: Unable to find a certificate matching the configured fingerprint. Candidates: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'; certFingerprint: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'.
5 /var/www/talent/libraries/external/simplesamlphp/modules/saml/lib/Message.php:132 (sspmod_saml_Message::findCertificate)
4 /var/www/talent/libraries/external/simplesamlphp/modules/saml/lib/Message.php:181 (sspmod_saml_Message::checkSign)
3 /var/www/talent/libraries/external/simplesamlphp/modules/saml/lib/Message.php:552 (sspmod_saml_Message::processAssertion)
2 /var/www/talent/libraries/external/simplesamlphp/modules/saml/lib/Message.php:524 (sspmod_saml_Message::processResponse)
1 /var/www/talent/libraries/external/simplesamlphp/modules/saml/www/sp/saml2-acs.php:127 (require)
0 /var/www/talent/simplesaml/module.php:137 (N/A)

The quick fix is to take the value for the Candidates field in the error above and use that as the value in the “Certificate Fingerprint” with the TalenLMS SSO settings. This however is annoying, once every month.

I contacted TalentLMS support who advised as follows:

you can define your own certificate in Azure’s Talentlms App and set the expiration date that you wish.
On Azure AD portal, go to
{Your-AD-Name} AD – App registrations -> {Your-App-Name} -> {Your-App-Name} – Single sign-on
On the “SAML Signing Certificate” section you will see only one certificate that was created on App setup.
Click on “Create new certificate” link, set expiration date and click on “Save”
Then, back on the “SAML Signing Certificate” section click on the checkbox “Make new certificate active” and remove the old one.
You will then need to replace the certificate fingerprint in Talentlms SSO form with the one of the new active certificate (found at THUMBPRINT column)

However, when I get to this part of Azure AD, as the screen is loading I can see the “Single Sign-On” option but it is greyed out.

Then when the page is loaded, it’s gone, and I cant find that setting anywhere?

Can anyone please help here?