How SSO works

When a learner accesses a Percipio link, Percipio sends a request to the Identity Provider (IdP) for authentication. That request can be processed in one of the following ways:

  • If the learner exists in the IdP, and has permission to access Percipio, then the IdP sends User Details and a Success response back to Percipio. Percipio then verifies that the learner in the SAML response has an account.

  • If an account exists, then Percipio updates any account information and logs the user in.

  • If the account does not exist, and auto-create is enabled, Percipio automatically creates a new account with information from the IdP.

  • If the learner does not exist in the IdP or does not have permission to access Percipio, the IdP sends a Failure response back to Percipio and Percipio denies access.

Similar to the sign-in account creation process, when learners launch a Skillsoft content asset in your LMS, the item opens in Percipio. This is accomplished using single sign-on (SSO). For first-time users this SSO process creates a new account enabling Percipio to store user activity and manage the user experience. 

Percipio user, percipio, corporate SAML identity provider flow chart

Both account creation processes can also be used to determine which Skillsoft content should be licensed to the user enabling you to deliver purchased content to specific target audiences. Some deployment scenarios may require a more complex user management process which utilizes configurable user attributes and could be served through other methods such as an integration with your HR system.

You can identify a user attribute any way you want in Percipio and map it to a relevant field from your identity provider. If you want to capture more user attributes than your identity provider offers, you can pair SSO with a data feed from an HRIS system. See Approaches for Creating User Accounts for additional details.

SAML Technology in Percipio

Parameter Description
Service Provider (SP) Initiated Login Service Provider Initiated means the user accesses Percipio first and then they are redirected back to their IdP provider to authenticate. This login method is the only one that supports “share links” from LMS deployments.
Identity Provider (IdP) Initiated Login IdP Initiated means the user can be pre-authenticated by your system before being directed to the platform.
SAML Signed Authentication Requests Supports sending Signed authentication requests to your identity provider, if required
SAML Encrypted Authentication Requests Supports sending Encrypted authentication requests to your identity provider, if required.
SAML Signed Response Supports signed SAML responses from your identity provider.
SAML Encrypted Response Supports encrypted SAML responses from your identity provider.

Security certificates

Signing and Encryption certificates – Percipio uses a Skillsoft issued self-signed certificate for all deployments.