Single Sign-On (SSO) For DataCamp Enterprise: An Overview

What is Single Sign-On? 

Single Sign-On (SSO) is a type of authentication that allows users to access multiple applications and services using a single set of login credentials.

DataCamp’s Enterprise SSO integration allows customers to manage their organization's members outside of DataCamp's pre-existing login and account creation flows.

Some of the benefits of SSO include:

  • More security and minimized phishing

  • A simpler onboarding and member management process

  • Organization members will not need separate login credentials to access DataCamp

  • Better user experience: users are seamlessly provisioned an account and redirected to DataCamp content, all in one go

Prerequisites

In order to set up SSO, you must have a DataCamp Enterprise plan and be an admin of your organization. Feature and pricing information on upgrading to a DataCamp Enterprise plan can be found here.

At this time, DataCamp only supports SAML 2.0 integration. To set up SSO, you must have a SAML Identity Provider (IdP) configured. The IdP is the directory or database that contains the user and organization accounts.

Configuring Single Sign-On

Required Settings

Sign in to DataCamp and navigate to your Enterprise organization, then select Settings > SSO > Allow SAML 2.0.

To complete the integration, you must enter the information listed below, which is unique to your organization:

  • Entity ID/Issuer URL: This is provided by the IdP to uniquely identify your organization's domain.

  • Login URL/SSO Endpoint: This refers to the URL DataCamp is expected to call in order to request a user login from the IdP.

  • IdP Certificate: This is the Authentication certificate issued by your IdP.

SAML Attributes

Aside from this, it’s important to align SAML attribute names for important user information. DataCamp accepts the following claims: first name, last name and email.

Out of these 3, email is mandatory for the integration to work properly. First name and last name are optional but encouraged to provide the best user experience.

For these 3 fields, we accept a list of attribute names:

Email

First name:

Last name:

Not sending one of these attributes will result in the corresponding value in DataCamp not being updated. In essence, this means that:

  • new users will have no first/last name;
  • users that were created before SSO was active will keep the first/last name that was set before

Providing an empty value for (one of)) the attributes will however update the according values in DataCamp. As such, users that had a first/last name before SSO was enabled will get an empty first/last name after the first time they log in sucessfully via SSO.

Once you have entered the correct information in both DataCamp and your IdP, the last step is to select Enable SSO, and then you're all set! SSO has been enabled for your organization.

Optional Settings

NameID Format

DataCamp supports two options for configuring the NameID format: 

  • nameid-format:emailAddress(default)

  • nameid-format:unspecified

If you want DataCamp to use your internal employee ID as a unique identifier instead of email, you'll need to configure your IdP to send the nameID format as "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" and the "unspecified" value to the employee ID. You'll then have to select "unspecified" in your DataCamp SSO settings. You'll still need to send the emailAddress as an attribute as this is required for our platform. Although optional, it is highly recommended that you also send the FirstName and LastName as SAML attributes, as this is the only way for your learners on DataCamp to have their full names filled in.

Once the IdP has been configured to send the "unspecified" value and the setting has been made on the DataCamp SSO settings, we will begin storing the employee ID for each user as they login. If you update your configuration when you already have members in your organization, we will not have their employee ID value until the next time they log in. 

Even if you use employee ID as the unique identifier in your SSO configuration, each DataCamp account must have a unique email address. Therefore, if a new user joins via SSO with the same email address, but a different employee ID than someone in your organization, we will automatically archive the older account and grant access to the new user. If a user's account is archived, they can reach out to DataCamp Support to update their email address and reactivate their account. 

For certain LMS or LXP integrations, the employee ID might be required. In this case, you'll need to configure your SSO settings to send and store the employee ID as the unspecified NameID format. If we do not have an employee ID for any reason (e.g. the user hasn't logged in since you updated the configuration) we will not be able to send content completion information for this user until they log in and we have their employee ID stored. 

You can see the latest synced name ID mappings within the SSO configuration tab. Once we begin receiving mappings, you will see the latest appear like this:

Configured to receive NameID mappings. Recently received mappings:

  • Aug 12, 2020, 09:08 BST: 10101010 => example_user_1@example.com

  • Aug 12, 2020, 09:37 BST: 1020202 =>example_user_2@example.com

The left value is the employee ID (e.g. 10101010) and the right value is the email.

If the mappings are incorrect, please contact our support team to reset them. 

Just-in-Time (JIT) Provisioning

If JIT Provisioning is enabled, DataCamp will automatically create an account and add new members to your organization after they sign in with SSO (via their IdP or LMS). Otherwise, members will need to be explicitly invited by an admin first before they can sign in with SSO.

e0268e51-bb81-4c82-8fd9-7bc67702ceaa.png
“Enable JIT provisioning” option

If you only intend to make DataCamp available to a specific audience within your organization, it's recommended that you disable JIT provisioning, and instead use one of the other mechanisms of inviting users such as Invite Links. Note that JIT will never come into effect until you explicitly create and share a Custom SSO deep link (see below for more info).

SSO Login Enforced

If SSO is required, all members and admins will need to log in via the Identity Provider. If SSO is optional, then members and admins can log in via the Identity Provider or with the email and password associated with their DataCamp account.

If you have members in your organization when your SSO integration starts with SSO required, or when SSO is changed to become required, they will immediately be logged out of DataCamp and forced to re-authenticate themselves via SSO.

We strongly recommend enforcing SSO for multiple reasons, with the primary benefit being that users will be automatically directed to use SSO for authentication, rather than having the option to choose an alternative authentication method.

Note: Although we strongly suggest enforcing SSO, it is important to ensure that your SSO configuration is functioning properly before making it mandatory. As a precaution, we recommend leaving the setting optional until you are sure it works, to prevent the possibility of being locked out of the account. Currently, there is no alternative method for organization admins to log into the system; everyone must go through the same flow.

2ba73782-2f94-4e4d-8441-9031c5fc0a95.png

Enabling and Disabling SSO

Once you have finished configuring your SSO settings, you are ready to enable SSO. To enable SSO, click "Enable SSO" on the bottom of the form. 

When SSO is enabled, users will receive an email explaining that the organization has enabled SSO and that they will need to sign in again with their SSO credentials.

There is a link in the email which will redirect them to DataCamp’s sign-in page. On this page, they need to enter their email address and press Next. If this email is associated with a member who belongs to a group with SSO enabled, they will be redirected to the IdP login page to complete the sign in process. Here they will need to sign in with their SSO credentials. If this is successful, they will be redirected back to DataCamp with access to the platform.

image2022-12-21_14-19-2.png

Users receive an email when their organization enables and disables SSO

Similarly, if a member is removed from the organization or if SSO is disabled within the organization, they will receive email instructions prompting them to reset their password on DataCamp, allowing them to log in without SSO.

Additional Documentation with specific Identity Providers

Looking to set up an integration with one of the following IdPs? Check out our Help Documentation here:

We're also available as an application in Microsoft's Azure Gallery. 

Inviting Members to your organization once SSO is enabled and required (Admins)

As mentioned before, we strongly recommend enforcing SSO for multiple reasons, with the primary benefit being that users will be automatically directed to use SSO for authentication, rather than having the option to choose an alternative authentication method. However, we'll be covering the option to use alternative authentication methods in our documentation, in case there are any circumstances in which SSO may not be suitable or available.

If SSO has been enabled and not set as required, the standard invite methods will continue to work without involving SSO at all.

If SSO has been set as required, then all of the invite flows will require users to sign in with their SSO credentials in order to accept it.

Note: For security purposes, if a user already has an existing account on DataCamp prior to being invited to your organization, you'll need to use one of the methods outlined below. Both options below have an additional verification step to confirm the user who is already on the platform is the same in your IdP.

Email Invites

You can invite a specific member by their email address. The advantage of this invite method is that you can also customize their permissions (e.g. make them an admin) during the invite process.

Note: If the person you are trying to invite already has an account on DataCamp, you'll need to invite them with their existing email on the platform in order for their account learning progress to transfer. If you are unsure, you can also generate a standard invite link which gives the member the option to merge their own account (the "Link account" flow).

image2022-12-21_15-11-11.png

Invite Links

You can generate a standard invite link and customize the link to automatically add members to specific teams when they join using this method.

Some other advantages of this invite method:

  • Members will have the opportunity to link an existing account if they happen to already have one on DataCamp. This is ideal if you want to have historical learning progress available in your organization's account, and so that members can continue from where they left off.

  • You can limit the invite to specific email domains. The domains can be added when creating the Invite link.

  • Only learners with the link can sign up. You can avoid having to invite users separately by simply sharing the link to one or more of your learners in your own mediums.

image2022-12-21_15-9-54.png

Custom SSO Deep Link

An SSO Deep Link is any link to a page on DataCamp which contains a company SSO identifier. When a user clicks on this link, they will be automatically redirected to the IdP to sign in with SSO (if they aren't already), and then redirect them back to the page they originally intended to navigate to. If Just-in-time provisioning is enabled and they don't have a DataCamp account yet, we automatically provision them a new one. 

The format of any SSO Deep Link is: https://www.datacamp.com/groups/<GROUP_IDENTIFIER>/sso/saml/login?path=<PATH>

An example of a <PATH> would be "/home" to link to our homepage. You can direct SSO Deep links to specific courses and track pages. 

If Just-in-time provisioning is enabled, this invite method can be used to create new accounts on DataCamp. This method can always be used to sign into accounts that have already been added to your organization. If a user has an existing account and is not already in the organization, they will be automatically added as a member upon login.

Link from Identity Provider

Depending on the specific IdP configuration, members can also enroll directly from within the IdP by selecting the DataCamp application in the directory.

If Just-in-time provisioning is enabled, this invite method can be used to create new accounts on DataCamp. This method can always be used to sign into accounts that have already been added to your organization. If a user has an existing account and is not already in the organization, they will be automatically added as a member upon login.

Link from Learning Management System (LMS) or Learning Experience Platform (LXP)

If you are using one of our existing LMS or LXP integrations, it's also possible to combine SSO so that users can seamlessly access DataCamp via SSO directly from the IdP. For more information, please read our LMS and LXP documentation

This invite method can be used to create new accounts on DataCamp (if Just-in-time provisioning is enabled) or to sign into accounts that have already been added to your organization. If a user has an existing account and is not already in the organization, they will be automatically added as a member upon login.

Accessing DataCamp once your organization has enabled and required SSO (Members & Admins)

There are multiple ways your admin could invite you to an organization when SSO is enabled and required.

Email Invite

Your admin may invite you to join their DataCamp organization by email.

Note: If you have an existing DataCamp account under a different email address and you want your course progress to be reflected in the group, you can update your email in your profile before accepting the invite, then ask your admin to resend the invite (their email will be included in the invite email). Otherwise, you will create a separate account.

When you're ready to accept, simply select Join Group in your email, or in your in-app notifications if you already have an account. You will be redirected to the Identity Provider (IdP) to sign in with your SSO credentials. If the login is successful, you will be redirected to DataCamp and have access to the organization in DataCamp.

Note: If SSO is optional, you’ll be redirected to sign up via the sign-up form. Since it’s optional, we won’t require you to go through your IdP!

Invite Link

If SSO is enabled and required, members who click on these invite links will be brought to the following page with an option to "Link an Existing Account" or "Create New Account".

CleanShot_2022-12-21_at_17.18.22-20221221-161824.png
Invite link actions

Members who already have a DataCamp account under a separate email address will have the opportunity to link their account so that they can maintain their learning progress.

In order to link their account, members will first need to sign in to DataCamp with their previous email and password. Afterward, they will be redirected to the IdP login page where they can log in with their SSO credentials. At this point, the account is linked and we’ve verified it’s the same member.

Alternatively, members can choose to create a new account if they don’t have a previous account to link or if they would prefer to create a new one. In this case, they will be immediately redirected to the IdP login page to sign in with SSO and will be redirected to DataCamp (with a brand new account!) if the login is successful.

Accessing via your IdP, LMS, LXP, or a custom SSO Deep Link

Members will also be able to add themselves to the organization by first logging into your IdP, finding the DataCamp application and clicking the application to join. Similarly, it's typically possible to join the organization via your LMS or LXP system (if your admin has configured it) or through a custom SSO Deep Link created by your admin. If the organization has Just-in-time provisioning enabled and you do not have a DataCamp account, using this invite method will create an account for you.

Note: For security purposes, if you have an existing DataCamp account and are not already in the organization, your admin will need to invite you with one of the alternative invite methods listed above.

If you try to join via a DataCamp invite link, but your organization no longer has available licenses, you will be added to a waitlist. Your admin will be informed you are trying to access the organization. If they approve your waitlist request, you will be added to the organization and will receive an email to confirm.

Signing In After Accepting An Invite

Once you've created a DataCamp account and are enrolled in your organization, you can log in to DataCamp with SSO in multiple ways. 

Sign-in Page

You can go to our normal sign-in page here: https://www.datacamp.com/users/sign_in

Enter your email (this should be the same email associated with your SSO credentials). As long as you are a member of the organization, we will detect that you need to log in with SSO and redirect you to your IdP to complete the sign-in process. Once complete, you will be redirected back to DataCamp to continue learning.

If SSO is enabled for your organization, but not required, you will be able to login with SSO (by clicking the "Use SSO" button shown below) or by using your DataCamp email and password. 

image2022-12-21_15-55-9.png

The “Use SSO” button will be shown if SSO is optional for your organization

 

Accessing via your IdP, LMS, LXP, or a custom SSO Deep Link

Members will also be able to log into DataCamp by first logging into your IdP, finding the DataCamp application and clicking the application. Similarly, you can typically log into DataCamp via your LMS or LXP system (if your admin has configured it) or through a custom SSO Deep Link created by your admin. Assuming you already have a DataCamp account and are a member of the group, this should only require one-click to sign into DataCamp. 

LMS identifiers

For customers that have an LMS integration with DataCamp, we provide an option to identify users by an LMS identifier, which may differ from their email or their NameID. This is handy in cases where your members might have different identifiers for all three (email, NameID, and their LMS ID), and you'd like to use a specific identifier for LMS integrations.

To support this feature, we accept the LMS identifier as a SAML attribute in the SAML response with any of the following names:

  • lms_username
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lms_username

When this is sent to us, we record it and are able to use it in your LMS integrations with DataCamp, i.e. include it as the user identifier in user completion events.

Adding Users to Teams via SAML Attributes

We support the automatic addition of users to your DataCamp group's teams through SAML attributes by using the dc_groups SAML attribute. To use this feature, configure the dc_groups attribute in your Identity Provider (IdP) to include one or more team names as its values, where each team name is a string/text value. 

For multiple teams, provide a multi-value attribute, for example:

<saml:Attribute Name="dc_groups"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">Engineering</saml:AttributeValue>
    <saml:AttributeValue xsi:type="xs:string">Marketing</saml:AttributeValue>
    <saml:AttributeValue xsi:type="xs:string">Sales</saml:AttributeValue>
</saml:Attribute>

For a single team, you can provide a single-value attribute, for example:

<saml:Attribute Name="dc_groups" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
  <saml:AttributeValue xsi:type="xs:string">Engineering</saml:AttributeValue>
</saml:Attribute>

To add a user to an existing team, it's essential that the provided team name exactly matches the team name configured in DataCamp (case insensitive). If a specified team does not exist, we'll automatically create a new team and add the user to it.

Important note: This feature is currently strictly additive only. This means we won't ever remove users from a team. If a user belongs to one or more teams, sending an empty dc_groups value, or omitting it entirely, will not remove the user from any of their teams.

Frequently asked questions (FAQ)

What happens if I enable SSO with members already in my DataCamp organization?

Once SSO is enabled, your existing members will receive an email prompting them to login with their IdP credentials. Once complete, your members will always need to log in with their IdP credentials while they are a member of an organization with SSO enabled.

What happens if an account created via SSO ends up exceeding the number of licenses that my organization has paid for?

The member will be added to the waiting list, and an e-mail will be sent out about this to all admins. After approval from one of these admins, a license will be added and the user will be able to use DataCamp.

Does DataCamp support IdP-initiated or Service Provider Initiated Single Sign-On?

DataCamp supports both IdP and SP (Service Provider) initiated Single Sign-On. 

Is SSO supported on mobile?

Yes, SSO is supported on the mobile app.

Can I block access to mobile with Single Sign-On?

There's no DataCamp setting to block access to mobile with Single Sign-On. However, in the past clients have been able to block access on mobile on their side in their IdP configuration. 

What happens if a member is removed from my organization on DataCamp?

If a member in your organization is removed as a Member in DataCamp, they will receive an email prompting them to create new login information. They will also be prompted to confirm their email address and create a new password. They will no longer have access to your organization or premium content as part of your subscription.

What happens if a member is removed from my IdP (Identity Provider)?

If you remove a member from your IdP and deactivate their IdP login credentials, they will no longer be able to log into DataCamp. Please note, the member will not automatically be removed from the DataCamp organization’s Members list; this will have to be done manually on the Members page. Please contact our support team if you need assistance in removing a member from your organization.

Does DataCamp provide CA-signed certificates?

All certificates are self-signed by default. Please contact our support team if you require CA-signed certificates.

What if I get an error when trying to log in saying I don't have access to the DataCamp application

If you get an error stating the DataCamp link isn't working, like in the below screenshot:

Or perhaps a more descriptive one, such as this one Azure AD:

2.png

These errors are happening on the IdP, so you will need to contact your administrator and ask for access to the DataCamp application. Unfortunately this is nothing something that can be fixed by DataCamp.