What is Single Sign-On?
Single Sign-On (SSO) is a type of authentication that allows users to access multiple applications and services using a single set of login credentials.
DataCamp’s Enterprise SSO integration allows customers to manage their organization's members outside of DataCamp's pre-existing login and account creation flows.
Some of the benefits of SSO include:
- More security and minimized phishing
- A simpler onboarding and member management process
- Organization members will not need separate login credentials to access DataCamp
- Better user experience: users are seamlessly provisioned an account and redirected to DataCamp content, all in one go
Prerequisites
In order to set up SSO, you must have a DataCamp Enterprise plan and be an admin of your organization. Feature and pricing information on upgrading to a DataCamp Enterprise plan can be found here.
At this time, DataCamp only supports SAML 2.0 integration. To set up SSO, you must have a SAML Identity Provider (IdP) configured. The IdP is the directory or database that contains the user and organization accounts.
Configuring Single Sign-On
Required Settings
Sign in to DataCamp and navigate to your Enterprise organization, then select Settings > SSO > Allow SAML 2.0.
To complete the integration, you must enter the information listed below, which is unique to your organization:
- Entity ID/Issuer URL: This is provided by the IdP to uniquely identify your organization's domain.
- Login URL/SSO Endpoint: This refers to the URL DataCamp is expected to call in order to request a user login from the IdP.
- IdP Certificate: This is the Authentication certificate issued by your IdP.
SAML Attributes
Aside from this, it’s important to align SAML attribute names for important user information. DataCamp accepts the following claims: first name, last name and email.
Out of these 3, email is mandatory for the integration to work properly. First name and last name are optional but encouraged to provide the best user experience.
For these 3 fields, we accept a list of attribute names:
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- email_address
- emailAddress
- EmailAddress
- User.email
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
- emailaddress
- urn:oid:1.3.6.1.7
First name:
- FirstName
- first_name
- firstname
- firstName
- user.first_name
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/first_name
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- givenname
- urn:oid:2.5.4.42
Last name:
- LastName
- last_name
- lastname
- lastName
- user.last_name
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/last_name
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- surname
- urn:oid:2.5.4.4
Not sending one of these attributes will result in the corresponding value in DataCamp not being updated. In essence, this means that:
- new users will have no first/last name;
- users that were created before SSO was active will keep the first/last name that was set before
Providing an empty value for (one of) the attributes will however update the according values in DataCamp. As such, users that had a first/last name before SSO was enabled will get an empty first/last name after the first time they log in successfully via SSO.
Once you have entered the correct information in both DataCamp and your IdP, the last step is to select Enable SSO, and then you're all set! SSO has been enabled for your organization.
Optional Settings
NameID Format
DataCamp supports two options for configuring the NameID format:
-
nameid-format:emailAddress
(default) nameid-format:unspecified
If you want DataCamp to use your internal employee ID as a unique identifier instead of email, you'll need to configure your IdP to send the nameID format as "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
" and the "unspecified" value to the employee ID. You'll then have to select "unspecified" in your DataCamp SSO settings. You'll still need to send the emailAddress as an attribute as this is required for our platform. Although optional, it is highly recommended that you also send the FirstName and LastName as SAML attributes, as this is the only way for your learners on DataCamp to have their full names filled in.
Once the IdP has been configured to send the "unspecified" value and the setting has been made on the DataCamp SSO settings, we will begin storing the employee ID for each user as they login. If you update your configuration when you already have members in your organization, we will not have their employee ID value until the next time they log in.
For certain LMS or LXP integrations, the employee ID might be required. In this case, you'll need to configure your SSO settings to send and store the employee ID as the unspecified NameID format. If we do not have an employee ID for any reason (e.g. the user hasn't logged in since you updated the configuration) we will not be able to send content completion information for this user until they log in and we have their employee ID stored.
You can see the latest synced name ID mappings within the SSO configuration tab. Once we begin receiving mappings, you will see the latest appear like this:
Configured to receive NameID mappings. Recently received mappings:
- Aug 12, 2020, 09:08 BST: 10101010 => example_user_1@example.com
- Aug 12, 2020, 09:37 BST: 1020202 =>example_user_2@example.com
The left value is the employee ID (e.g. 10101010) and the right value is the email.
If the mappings are incorrect, please contact our support team to reset them.
Just-in-Time (JIT) Provisioning
If JIT Provisioning is enabled, DataCamp will automatically create an account and assign a license to new members when they sign in via SSO (through their IdP or LMS). Otherwise, new members will be added to the waiting list, requiring admin approval before a license is assigned.
If you only intend to make DataCamp available to a specific audience within your organization, it's recommended that you disable JIT provisioning, and instead use one of the other mechanisms of inviting users such as Invite Links. Note that JIT will never come into effect until you explicitly give access to your users on the IdP or create and share a Custom SSO deep link (see below for more info).
SSO Login Enforced
If SSO is required, all members and admins will need to log in via the Identity Provider. If SSO is optional, then members and admins can log in via the Identity Provider or with the email and password associated with their DataCamp account.
If you have members in your organization when your SSO integration starts with SSO required, or when SSO is changed to become required, they will immediately be logged out of DataCamp and forced to re-authenticate themselves via SSO.
We strongly recommend enforcing SSO for multiple reasons, with the primary benefit being that users will be automatically directed to use SSO for authentication, rather than having the option to choose an alternative authentication method.
Note: Although we strongly suggest enforcing SSO, it is important to ensure that your SSO configuration is functioning properly before making it mandatory. As a precaution, we recommend leaving the setting optional until you are sure it works, to prevent the possibility of being locked out of the account. Currently, there is no alternative method for organization admins to log into the system; everyone must go through the same flow.
Enabling and Disabling SSO
Once you have finished configuring your SSO settings, you are ready to enable SSO. To enable SSO, click "Enable SSO" on the bottom of the form.
When SSO is enabled, users will receive an email explaining that the organization has enabled SSO and that they will need to sign in again with their SSO credentials.
There is a link in the email which will redirect them to DataCamp’s sign-in page. On this page, they need to enter their email address and press Next. If this email is associated with a member who belongs to a group with SSO enabled, they will be redirected to the IdP login page to complete the sign in process. Here they will need to sign in with their SSO credentials. If this is successful, they will be redirected back to DataCamp with access to the platform.
Users receive an email when their organization enables and disables SSO
Similarly, if a member is removed from the organization or if SSO is disabled within the organization, they will receive email instructions prompting them to reset their password on DataCamp, allowing them to log in without SSO.
Additional Documentation with specific Identity Providers
Looking to set up an integration with one of the following IdPs? Check out our Help Documentation here:
We're also available as an application in Microsoft's Azure Gallery.
Inviting Members to your organization once SSO is enabled and required (Admins)
As mentioned before, we strongly recommend enforcing SSO for multiple reasons, with the primary benefit being that users will be automatically directed to use SSO for authentication, rather than having the option to choose an alternative authentication method. However, we'll be covering the option to use alternative authentication methods in our documentation, in case there are any circumstances in which SSO may not be suitable or available.
If SSO has been enabled and not set as required, the standard invite methods will continue to work without involving SSO at all.
If SSO has been set as required, then all of the invite flows will require users to sign in with their SSO credentials in order to accept it.
Note: For security purposes, if a user already has an existing account on DataCamp prior to being invited to your organization, you'll need to use one of the methods outlined below. Both options below have an additional verification step to confirm the user who is already on the platform is the same in your IdP.
Email Invites
You can invite a specific member by their email address. The advantage of this invite method is that you can also customize their permissions (e.g. make them an admin) during the invite process.
Note: If the person you are trying to invite already has an account on DataCamp, you'll need to invite them with their existing email on the platform in order for their account learning progress to transfer.
Invite Links
You can generate a standard invite link and customize the link to automatically add members to specific teams when they join using this method.
Some other advantages of this invite method:
- You can limit the invite to specific email domains. The domains can be added when creating the Invite link.
- Only learners with the link can sign up. You can avoid having to invite users separately by simply sharing the link to one or more of your learners in your own mediums.
Custom SSO Deep Link
An SSO Deep Link is any link to a page on DataCamp which contains a company SSO identifier. When a user clicks on this link, they will be automatically redirected to the IdP to sign in with SSO (if they aren't already), and then redirect them back to the page they originally intended to navigate to. If Just-in-time provisioning is enabled and they don't have a DataCamp account yet, we automatically provision them a new one.
The format of any SSO Deep Link is: https://www.datacamp.com/groups/<GROUP_IDENTIFIER>/sso/saml/login?path=<PATH>
An example of a <PATH> would be "/home" to link to our homepage. You can direct SSO Deep links to specific courses and track pages.
If Just-in-time provisioning is enabled, this invite method can be used to create new accounts on DataCamp. This method can always be used to sign into accounts that have already been added to your organization. If a user has an existing account and is not already in the organization, they will be automatically added as a member upon login.
Link from Identity Provider
Depending on the specific IdP configuration, members can also enroll directly from within the IdP by selecting the DataCamp application in the directory.
If Just-in-time provisioning is enabled, this invite method can be used to create new accounts on DataCamp. This method can always be used to sign into accounts that have already been added to your organization. If a user has an existing account and is not already in the organization, they will be automatically added as a member upon login.
Note: Some Identity Providers, such as Degreed, do not support IDP-initiated login.
Link from Learning Management System (LMS) or Learning Experience Platform (LXP)
If you are using one of our existing LMS or LXP integrations, it's also possible to combine SSO so that users can seamlessly access DataCamp via SSO directly from the IdP. For more information, please read our LMS and LXP documentation.
This invite method can be used to create new accounts on DataCamp (if Just-in-time provisioning is enabled) or to sign into accounts that have already been added to your organization. If a user has an existing account and is not already in the organization, they will be automatically added as a member upon login.
Accessing DataCamp once your organization has enabled and required SSO (Members & Admins)
There are multiple ways your admin could invite you to an organization when SSO is enabled and required.
Email Invite
Your admin may invite you to join their DataCamp organization by email.
Note: If you have an existing DataCamp account under a different email address and you want your course progress to be reflected in the group, you can update your email in your profile before accepting the invite, then ask your admin to resend the invite (their email will be included in the invite email). Otherwise, you will create a separate account.
When you're ready to accept, simply select Join Group in your email, or in your in-app notifications if you already have an account. You will be redirected to the Identity Provider (IdP) to sign in with your SSO credentials. If the login is successful, you will be redirected to DataCamp and have access to the organization in DataCamp.
Note: If SSO is optional, you’ll be redirected to sign up via the sign-up form. Since it’s optional, we won’t require you to go through your IdP!
Invite Link
If SSO is enabled and required, members who click on an invite link will be automatically redirected to the Identity Provider (IdP) to sign in with your SSO credentials.
Upon successful authentication:
- If a DataCamp account already exists with the email returned by the IdP, we’ll ask the member to confirm ownership of the account by logging in to the existing account (usually by using the password of that existing account). Once a user has confirm they own the account with the email returned by the IdP they will then join the group.
- If no DataCamp account exists yet with that email, a brand new account will be created and redirected to accept the invite link and join the group.
Accessing via your IdP, LMS, LXP, or a custom SSO Deep Link
Members will also be able to add themselves to the organization by first logging into your IdP, finding the DataCamp application and clicking the application to join. Similarly, it's typically possible to join the organization via your LMS or LXP system (if your admin has configured it) or through a custom SSO Deep Link created by your admin. If the organization has Just-in-time provisioning enabled and you do not have a DataCamp account, using this invite method will create an account for you.
Note: For security purposes, if you have an existing DataCamp account and are not already in the organization, your admin will need to invite you with one of the alternative invite methods listed above.
If you try to join via a DataCamp invite link, but your organization no longer has available licenses, you will be added to a waitlist. Your admin will be informed you are trying to access the organization. If they approve your waitlist request, you will be added to the organization and will receive an email to confirm.
Signing In After Accepting An Invite
Once you've created a DataCamp account and are enrolled in your organization, you can log in to DataCamp with SSO in multiple ways.
Sign-in Page
You can go to our normal sign-in page here: https://www.datacamp.com/users/sign_in.
Enter your email (this should be the same email associated with your SSO credentials). As long as you are a member of the organization, we will detect that you need to log in with SSO and redirect you to your IdP to complete the sign-in process. Once complete, you will be redirected back to DataCamp to continue learning.
If SSO is enabled for your organization, but not required, you will be able to login with SSO (by clicking the "Use SSO" button shown below) or by using your DataCamp email and password.
Accessing via your IdP, LMS, LXP, or a custom SSO Deep Link
Members will also be able to log into DataCamp by first logging into your IdP, finding the DataCamp application and clicking the application. Similarly, you can typically log into DataCamp via your LMS or LXP system (if your admin has configured it) or through a custom SSO Deep Link created by your admin. Assuming you already have a DataCamp account and are a member of the group, this should only require one-click to sign into DataCamp.
LMS identifiers
For customers that have an LMS integration with DataCamp, we provide an option to identify users by an LMS identifier, which may differ from their email or their NameID. This is handy in cases where your members might have different identifiers for all three (email, NameID, and their LMS ID), and you'd like to use a specific identifier for LMS integrations.
To support this feature, we accept the LMS identifier as a SAML attribute in the SAML response with any of the following names:
lms_username
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lms_username
When this is sent to us, we record it and are able to use it in your LMS integrations with DataCamp, i.e. include it as the user identifier in user completion events.
Adding Users to Teams via SAML Attributes
We support the automatic addition of users to your DataCamp group's teams through SAML attributes by using the dc_groups SAML attribute. To use this feature, configure the dc_groups attribute in your Identity Provider (IdP) to include one or more team names as its values, where each team name is a string/text value.
For multiple teams, provide a multi-value attribute, for example:
<saml:Attribute Name="dc_groups"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">Engineering</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">Marketing</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">Sales</saml:AttributeValue>
</saml:Attribute>
For a single team, you can provide a single-value attribute, for example:
<saml:Attribute Name="dc_groups"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">Engineering</saml:AttributeValue>
</saml:Attribute>
To add a user to an existing team, it's essential that the provided team name exactly matches the team name configured in DataCamp (case insensitive). If a specified team does not exist, we'll automatically create a new team and add the user to it.
Important note (#1): This feature is currently strictly additive only. This means we won't ever remove users from a team. If a user belongs to one or more teams, sending an empty dc_groups value, or omitting it entirely, will not remove the user from any teams.
Important note (#2): Currently, a user will not be added to the team(s) if during the SSO flow they end up on the waiting list, or have to confirm account ownership during the flow. This is due to a limitation on our side.
Email Domain Whitelisting
Email Domain Whitelisting allows your organization to claim one or more email domains (e.g., yourcompany.com) and automatically direct users with matching email addresses to your Single Sign-On Identity Provider (IdP) during both the sign-in and sign-up flows.
Once your domain is whitelisted:
-
Sign In Flow: When a user without an existing DataCamp account attempts to sign in using the DataCamp sign-in page, we check their email domain. If it matches a whitelisted domain, the user is automatically redirected to your organization’s IdP, bypassing the sign-in page. Upon successful authentication in your IdP, they'll return to DataCamp with a newly created account. If Just-In-Time (JIT) provisioning is enabled, the user will also be automatically added to your organization's group.
This ensures a smooth onboarding experience for new users who may attempt to sign in to DataCamp directly.
Note: For users who already have a DataCamp account, we'll proceed with the standard login flow and attempt to authenticate them as usual. -
Sign Up Flow: If a new user signs up using a whitelisted domain, they will receive a notification that their organization already has a DataCamp subscription. The user will then be redirected to authenticate via your organization's IdP.
This ensures that new users are appropriately linked to your organization's DataCamp group and subscription after verifying their identity via SSO.
To initiate the Email Domain Whitelisting process, please contact your Customer Success Manager or DataCamp Support. As part of this process, we will verify that your organization controls the domain(s) you wish to claim.
Frequently asked questions (FAQ)
What happens if I enable SSO with members already in my DataCamp organization?
Once SSO is enabled, your existing members will receive an email prompting them to login with their IdP credentials. Once complete, your members will always need to log in with their IdP credentials while they are a member of an organization with SSO enabled.
What happens if an account created via SSO ends up exceeding the number of licenses that my organization has paid for?
The member will be added to the waiting list, and an e-mail will be sent out about this to all admins. After approval from one of these admins, a license will be added and the user will be able to use DataCamp.
Does DataCamp support IdP-initiated or Service Provider Initiated Single Sign-On?
DataCamp supports both IdP and SP (Service Provider) initiated Single Sign-On.
Is SSO supported on mobile?
Yes, SSO is supported on the mobile app.
Can I block access to mobile with Single Sign-On?
There's no DataCamp setting to block access to mobile with Single Sign-On. However, in the past clients have been able to block access on mobile on their side in their IdP configuration.
What happens if a member is removed from my organization on DataCamp?
If a member in your organization is removed as a Member in DataCamp, they will receive an email prompting them to create new login information. They will also be prompted to confirm their email address and create a new password. They will no longer have access to your organization or premium content as part of your subscription.
What happens if a member is removed from my IdP (Identity Provider)?
If you remove a member from your IdP and deactivate their IdP login credentials, they will no longer be able to log into DataCamp. Please note, the member will not automatically be removed from the DataCamp organization’s Members list; this will have to be done manually on the Members page. Please contact our support team if you need assistance in removing a member from your organization.
What happens if a member's email changes?
We heavily rely on the NameID format to uniquely identify users based on the login information provided by their organization.
If the NameID format is set to email, then changing the email essentially creates a new user identity, causing them to lose access to their original account.
If the NameID format is set to unspecified, then changing the email is completely fine—we will automatically update it in our system as long as we can match the user based on their NameID. However, this won’t work is if the new email is already associated with another account.
Does DataCamp provide CA-signed certificates?
All certificates are self-signed by default. Please contact our support team if you require CA-signed certificates.
What if I get an error when trying to log in saying I don't have access to the DataCamp application?
If you get an error stating the DataCamp link isn't working, like in the below screenshot:
Or perhaps a more descriptive one, such as this one Azure AD:
These errors are happening on the IdP, so you will need to contact your administrator and ask for access to the DataCamp application. Unfortunately this is nothing something that can be fixed by DataCamp.
Why does DataCamp require configuring two ACS (Assertion Consumer Service) URLs in the IdP?
We require two ACS URLs to fully support both SP-initiated and IdP-initiated login flows. Both URLs must be configured to ensure authentication works correctly, whether users start the login process from the DataCamp sign-in page or directly from your identity provider (IdP).