Single Sign-On (SSO) For DataCamp Enterprise: An Overview

Screen_Shot_2020-10-22_at_9.35.06_AM.png

What is Single Sign-On? 

Single sign-on (SSO) is a session and user authentication service that allows users to access multiple applications with one set of login credentials (username and password).

DataCamp’s Enterprise SSO integration allows customers to manage their organization's members outside of DataCamp's pre-existing login and account creation flows.

Some of the benefits of SSO include:

  • More security and minimized phishing
  • A simpler onboarding and member management process
  • Organization members will not need separate login credentials to access DataCamp

Prerequisites

In order to set up SSO, you must have a DataCamp Enterprise plan and be an admin of your organization. Feature and pricing information on upgrading to a DataCamp Enterprise plan can be found here.

At this time, DataCamp only supports SAML 2.0 integration. To set up SSO, you must have a SAML Identity Provider (IdP) configured. The IdP is the directory or database that contains the user and organization accounts.

Configuring Single Sign-On

Required Settings

Sign in to DataCamp and navigate to your Enterprise organization, then select Settings > SSO > Allow SAML 2.0.

To complete the integration, you must enter the information listed below, which is unique to your organization:

  • Entity ID/Issuer URL: This is provided by the IdP to uniquely identify your organization's domain.
  • Login URL/SSO Endpoint: This refers to the URL DataCamp is expected to call in order to request a user login from the IdP.
  • IdP Certificate: This is the Authentication certificate issued by your IdP.

DataCamp also provides the following information which you should provide your IdP:

  • Entity ID/SAML Audience URL 
  • Assertion Consumer URL
  • Service Provider Metadata XML (Downloadable after you've configured and enabled the SSO integration.) 

Once you have entered the correct information in both DataCamp and your IdP, the last step is to select Enable SSO, and then you're all set! SSO has been enabled for your organization.

Note: We recommend leaving 'SSO Login Requirements' as optional until you verify your SSO configuration works as expected. Otherwise, you risk locking yourself out of the account.

Optional Settings

NameID Format

DataCamp supports two options for configuring the NameID format: 

  • nameid-format:emailAddress (default)
  • nameid-format:unspecified

If you want DataCamp to use employee ID as a unique identifier instead of email, you'll need to configure your IdP to send the nameID format as "unspecified," and the "unspecified" value to the employee ID. You'll also want to select "unspecified" in your DataCamp SSO settings. You'll still need to send the emailAddress as an attribute, as this is required for our platform. You can optionally send the FirstName and LastName.

Once the IdP has been configured to send the "unspecified" value and the setting has been made on the DataCamp SSO settings, DataCamp will begin storing the employee ID for each member as they sign in. If you update your configuration when you already have members in your organization, DataCamp will not have their employee ID value until the next time they sign in. 

Even if you use employee ID as the unique identifier in your SSO configuration, each DataCamp account must have a unique email address. Therefore, if a new member joins via SSO with the same email address, but a different employee ID than someone in your organization, DataCamp will automatically archive the older account and grant access to the new member. If a member’s account archives, they can reach out to DataCamp Support (atop this page) to update their email address and reactivate their account. 

For certain LMS or LXP integrations, the employee ID might be required. In this case, you'll need to configure your SSO settings to send and store the employee ID as the unique NameID format. If DataCamp does not have an employee ID for any reason (e.g. the user hasn't signed in since you updated the configuration), our system will not be able to send content completion information for this member until they sign in and we have their employee ID stored. 

You can see the latest synced name ID mappings within the SSO configuration tab. Once we begin receiving mappings, you will see the latest appear like this:

Configured to receive NameID mappings. Recently received mappings:

  • Aug 12, 2020, 09:08 BST: 10101010 => example_user_1@example.com
  • Aug 12, 2020, 09:37 BST: 1020202 =>example_user_2@example.com

If the mappings are incorrect, please contact our Support team to reset them. Screen_Shot_2020-08-12_at_11.59.44.png

Enabling and Disabling SSO

Once you have finished configuring your SSO settings, you are ready to enable SSO! To enable SSO, select Enable SSO on the bottom of the form. 

If you have members in your organization when SSO is enabled, they will immediately be logged out of DataCamp and receive an email explaining that the organization has enabled SSO and that they will need to sign in again with their SSO credentials.

There is a link in the email which will redirect them to DataCamp’s sign-in page. On this page, they need to enter their email address and select Next. If this email is associated with a member who belongs to a group with SSO enabled, they will be redirected to the IdP login page to complete the sign-in process. Here they will need to sign in with their SSO credentials. If this is successful, they will be redirected back to DataCamp with access to the platform.

Similarly, if a member is removed from the organization or if SSO is disabled within the organization, they will receive email instructions prompting them to reset their password on DataCamp, allowing them to sign in without SSO.

Specific Identity Providers

Looking to set up an integration with one of the following IdPs? Check out our Help Documentation here:

DataCamp is also available as an application in Microsoft's Azure Gallery. 

Inviting Members to your Organization once SSO is Enabled 

Members can be invited to DataCamp in multiple ways. This section outlines the various options for giving members access to your organization via SSO. 

Standard Invites

Once SSO has been enabled for the organization, the standard invite methods will continue to work, including email invites and invites using domain-specific invite links. In both cases, members will need to sign in with their SSO credentials to accept the invite. 

Note: For security purposes, if a member already has an existing account on DataCamp prior to being invited to your organization, you'll need to use one of the standard invite processes outlined below. Both options below have an additional verification step to confirm that the member who is already on the platform is the same in your IdP. 

Email Invites

You can invite a specific member by their email address. The advantage of this invite method is that you can also customize their permissions (e.g. make them an admin) and assign them to specific team(s) during the invite process. 

Note: If the person you are trying to invite already has an account on DataCamp, you'll need to invite them with their existing email on the platform in order for their account learning progress to transfer. If you are unsure, you can also generate a standard invite link which gives the member the option to merge their own account. 

Shareable Invite Links

You can generate a standard invite link and customize the link to automatically add members to specific teams when they join using this method. Another advantage of this invite method is that members will have the opportunity to link an existing account if they happen to already have one on DataCamp. This is ideal if you want to have historical learning progress available in your organization's account, and so that members can continue from where they left off. 

Custom SSO Deep Link

An SSO Enabled Deep Link is any link to a page on DataCamp which contains a company SSO identifier. When a member selects this link, DataCamp will automatically redirect them to the IdP to sign in (if they haven’t already) with SSO, and then redirect them back to the page they originally intended to navigate to. If they don't have a DataCamp account yet, then we automatically provision them a new one. 

The format of any SSO Enabled Deep Link for DataCamp is: https://www.datacamp.com/groups/<GROUP_IDENTIFIER>/sso/saml/login?path=<PATH>.

An example of a <PATH> would be "/home" to link to DataCamp's homepage. You can direct SSO Deep Links to specific courses and track pages. 

This invite method can be used to create new accounts on DataCamp or to sign in to accounts that have already been added to your organization. If a user has an existing account but is not in the organization, they will need to be added using one of the standard invite processes above. 

Link from Identity Provider

Depending on the specific IdP configuration, members can also enroll directly from within the IdP by selecting the DataCamp application in the directory.

This invite method can be used to create new accounts on DataCamp or to sign in to accounts that have already been added to your organization. If a user has an existing account but is not in the organization, they will need to be added using one of the standard invite processes above. 

Link from Learning Management System (LMS) or Learning Experience Platform (LXP)

If you are using one of our existing LMS or LXP integrations, it's also possible to combine SSO so that members can access DataCamp via SSO directly from the IdP. For more information, please read our LMS and LXP documentation

This invite method can be used to create new accounts on DataCamp or to sign in to accounts that have already been added to your organization. If a user has an existing account but is not in the organization, they will need to be added using one of the standard invite processes above. 

Accessing DataCamp With SSO 

Accepting an Invite to an Organization

There are multiple ways your admin can invite members to an organization when SSO is enabled. 

Email Invite

Your admin may invite you to join their DataCamp organization by email.

Note: If you have an existing DataCamp account under a different email address and you want your course progress to be reflected in the group, you can update your email in your profile before accepting the invite then ask your admin to resend the invite (their email will be included in the invite email). Otherwise, you will create a separate account. 

When you're ready to accept, simply select Join Group in your email, or in your in-app notifications if you already have an account. You will be redirected to the Identity Provider (IdP) to sign in with your SSO credentials. If the login is successful, you will be redirected to DataCamp and have access to the organization in DataCamp.

DataCamp Invite Link

If SSO is enabled, members who click on these invite links will be brought to the following page with an option to "Link an Existing Account" or "Create New Account".

Members who already have a DataCamp account under a separate email address will have the opportunity to link their account so that they can maintain their learning progress.

In order to link their account, members will first need to sign in to DataCamp with their previous email and password. Afterward, they will be redirected to the IdP login page where they can log in with their SSO credentials. At this point, the account is linked and we’ve verified it’s the same member. Lastly, since the organization has SSO enabled, the member will be logged out and asked to sign in once again with their SSO credentials to complete the process. 

Alternatively, members can choose to create a new account if they don’t have a previous account to link or if they would prefer to create a new one. In this case, they will be immediately redirected to the IdP login page to sign in with SSO and will be redirected to DataCamp if the login is successful.

Accessing DataCamp via Your IdP, LMS, LXP, or a Custom SSO Deep Link

Members will also be able to add themselves to the organization by first logging into your IdP, finding the DataCamp application and clicking the application to join. Similarly, it's typically possible to join the organization via your LMS or LXP system (if your admin has configured it) or through a custom SSO Deep Link created by your admin. If you do not have a DataCamp account, using this invite method will create an account for you. 

Note: For security purposes, if you have an existing DataCamp account and are not already in the organization, your admin will need to invite you with one of the alternative invite methods listed above. 

Note: If you try to join via a DataCamp invite link, but your organization no longer has available licenses, you will be added to a waitlist. Your admin will be informed you are trying to access the organization. If they approve your waitlist request, you will be added to the organization and will receive an email to confirm.

Signing In After Accepting An Invite

Once you've created a DataCamp account and are enrolled in your organization, you can sign in to DataCamp with SSO in multiple ways. 

Sign-In Page

You can go to our normal sign-in page here: https://www.datacamp.com/members/sign_in

Enter your email (this should be the same email associated with your SSO credentials). As long as you are a member of the organization, we will detect that you need to log in with SSO and redirect you to your IdP to complete the login process. Once complete, you will be redirected back to DataCamp to continue learning.

Accessing via Your IdP, LMS, LXP, or a Custom SSO Deep Link

Members will also be able to log in to DataCamp by first logging into your IdP, finding the DataCamp application, and clicking the application. Similarly, you can typically log in to DataCamp via your LMS or LXP system (if your admin has configured it), or through a custom SSO Deep Link created by your admin. Assuming you already have a DataCamp account and are a member of the group, this should only require one click to sign in to DataCamp. 

Frequently Asked Questions

What happens if I enable SSO with members already in my DataCamp organization?

Once SSO is enabled, your existing members will receive an email prompting them to log in with their IdP credentials. Once complete, your members will always need to log in with their IdP credentials while they are a member of an organization with SSO enabled.

What happens if an account created via SSO exceeds my organization's number of licenses?

The member will be added, the license count will automatically increase, and a prorated charge will be applied to the payment method on file. If no payment method is on file, an invoice with the amount will be automatically generated.

Is SSO supported on mobile?

Yes! SSO is supported on DataCamp's mobile app.

What happens when a member is removed from my organization in DataCamp?

If a member in your organization is removed as a Member in DataCamp, they will receive an email prompting them to create new login information. They will also be prompted to confirm their email address and create a new password. They will no longer have access to your organization or premium content as part of your subscription.

What happens if a member is removed from my IdP?

If you remove a member from your IdP and deactivate their IdP login credentials, they will no longer be able to log into DataCamp. Please note, the member will not automatically be removed from the DataCamp organization’s Members list. Please contact DataCamp Support (atop this page) to remove a member from your organization

What happens if I disable SSO?

If you disable SSO, the existing members in your organization will receive an email prompting them to create new login details including confirming their email and creating a new password.