SP-initiated Single Sign-On (SSO) with SAML

SP-initiated Single Sign-On (SSO) with SAML

Why SSO with Mettl

To remove the hassle of remembering multiple credentials or the cumbersome process of entering endless string of registration fields to access assessments, Mettl supports smooth and quick integration between your system and Mettl's assessment engine using Service Provider(SP)-initiated SSO with SAML.

SSO mitigates compliance and security risks by giving control over user authentication:
  1. It lets a user login once and gain access to Mettl Account without being prompted to login again. SSO also enables the application to share information about users. This is both convenient and secure practice for the client.
  2. Test takers/Candidates too, do not need to remember multiple credentials.  A seamless transition between applications. Redirect test takers/candidates from your account directly on Mettl's platform, enhancing the test taking experience.

About SAML

Security Assertion Markup Language (SAML) is a standard protocol for web browser Single Sign-On (SSO) using secure tokens. SAML completely eliminates all passwords and instead uses standard cryptography and digital signatures to pass a secure sign-in token from an Identity Provider to a SaaS application.

SAML SSO works by transferring the user’s identity from one place (the Identity Provider) to another (the Service Provider). This is done through an exchange of digitally signed XML documents.

Prerequisites to Configure SSO

You must have an SSO metadata XML URL of your SAML 2.0-compatible Identity Provider (IdP).

To configure SSO in your account, please share this metadata XML URL with your Account Manager mentioning whether this needs to be enabled for the Admin or Test Taker/Candidate flow.

Mettl's Metadata URLs

Test-taker/Candidate-side SSO - https://tests.mettl.com/saml/metadata

SAML Scenarios

Admin

A user is logged into a system that acts as an Identity Provider (IdP). The user wants to log in to a remote application (the Service Provider), which in this case is Mettl, the following happens:
  1. To begin the process of SSO, the user needs to visit https://mettl.com/corporate/login and click on ‘Login with Single Sign-On’.


  2. Mettl identifies the user’s origin and redirects the user back to the identity provider, asking for authentication. This is the authentication request.
  3. The user either has an existing active browser session with the identity provider or establishes one by logging into the identity provider.
  4. The Identity Provider builds the authentication response in the form of an XML-document containing the user’s email address, signs it using an X.509 certificate, and posts this information to the Service Provider.
  5. The Service Provider(Mettl), which already knows the Identity Provider and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint. Encrypted SAML response is supported by Mettl in this scenario. Encryption certificate can be found in Metadata URL.
  6. The identity of the user is established and the user logins to Mettl.

Test Taker/Candidate

A user is logged into a system that acts as an Identity Provider. The user wants to log in to a remote application, such as a support or accounting application (the Service Provider). The following happens:
  1. To begin the process of SSO, the client needs to append ‘https:// tests.mettl.com/test-window/ <access-key>’ URL to the ‘Take Test’ button of their application.
  2. User clicks on the 'Take Test' button on application.
  3. The application identifies the user’s origin (by application subdomain, user IP address, or similar) and redirects the user back to the Identity Provider, asking for authentication. This is the authentication request.
  4. The user either has an existing active browser session with the identity provider or establishes one by logging into the identity provider.
  5. The Identity Provider builds the authentication response in the form of an XML-document containing the user’s first name, email address, and any other mandatory fields configured in the Mettl Account, signs it using an X.509 certificate, and posts this information to the service provider.
  6. The Service Provider(Mettl test), which already knows the identity provider and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint. Encrypted SAML response is supported by Mettl in this scenario. Encryption certificate can be found in Metadata URL.
  7. The identity of the user is established and the test gets loaded for the test taker/candidate.