Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Megaphone illustration

Before you start

This form is for Ideagen Luminate feedback only. Your submission will not receive a response.

Looking for support? Select the solution you need help with and open a ticket with us.
New article Recently updated

Migrating Workplace Training SSO to Ideagen Hub - IT guide

By Jake Goode
  • Last updated
⌘ K
Search this article
Print this article

Who is this article for?

SSO customers.

IT Administrators.

This guide walks your IT team through each required step for the Workplace Training SSO migration to Ideagen Hub.

1. Understanding mandatory participation and username requirements

Full user migration will proceed on the scheduled date regardless of whether your IDP configuration has been submitted. Completing this promptly is the best way to protect your users from disruption.

Important: Users who sign in via SSO should ensure their username is set to their email address. Any username not in email format will be automatically overwritten with the user's email address during migration. Please action this before migration begins.

2. Preparing before you begin

Make sure you have the following ready before attempting any configuration steps:

  • Entity ID — provided by Ideagen in the migration notification email
  • Redirect URL (ACS URL) — provided by Ideagen in the migration notification email
  • IDP admin access — your organisation's Identity Provider admin portal (e.g. Azure Entra AD, Okta, OneLogin)
  • IDP metadata — downloaded or copied from your IDP after configuration (see Configuring your IDP below)

If you have not received the migration notification email from Ideagen, contact Ideagen Support before proceeding: support.IdeagenWorkplaceTraining@ideagen.com

3. Understanding the migration timeline

The migration follows four milestones. Your Account Manager will confirm the specific dates for each ahead of your migration.

Milestone 1 — Ideagen sends you the Entity ID, Redirect URL, metadata template and IDP guide. Receive these credentials and keep them on hand.

Milestone 2 (IDP configuration window) — Complete configuring your IDP, completing the metadata template, and submitting to Ideagen Support.

Milestone 3 (Phase 1 — test accounts migrated to Hub) — Set the Hub IDP as your default, test your SSO login, report any issues to Support, then revert your default IDP.

Milestone 4 (Phase 2 — all users migrated to Hub) — Users receive a welcome email and complete a one-time password reset.

4. Configuring your IDP

Your IDP (Identity Provider) is the system that authenticates your users — typically Azure Entra AD, Okta, OneLogin, or a similar platform managed by your IT team.

First, check whether your IDP already has an existing SAML application configured for Workplace Training. If it does, use Option A. If not, use Option B.

Option A — Updating your existing Workplace Training SSO application

To update your existing application, follow these steps:

  1. Log in to your IDP admin portal.
  2. Locate the existing enterprise application or SAML integration used for Workplace Training.
  3. Update the Entity ID field (labelled Identifier (Entity ID) or Audience URI) with the new value provided by Ideagen.
  4. Update the Reply URL field (labelled Reply URL (ACS URL) or Single Sign-On URL) with the new Redirect URL provided by Ideagen.
  5. Save the configuration.
  6. Download or copy your IDP metadata — you will need this when completing the metadata template.

Note: Do not set this as your default IDP yet. That step comes in Phase 1 testing.

Option B — Creating a new SSO application

To create a new application, follow these steps:

  1. Log in to your IDP admin portal.
  2. Create a new enterprise application or SAML integration for Ideagen Hub.
  3. Enter the Entity ID in the field labelled Identifier (Entity ID) or Audience URI.
  4. Enter the Redirect URL in the field labelled Reply URL (ACS URL) or Single Sign-On URL.
  5. Configure any remaining SSO fields the same way as your existing Workplace Training SSO setup.
  6. Save the configuration.
  7. Download or copy your IDP metadata — you will need this when completing the metadata template.

Note: The exact steps vary by IDP platform. If you need platform-specific guidance for Azure AD, Okta, OneLogin or another provider, contact Ideagen Support and specify your platform.

For Azure Entra AD — example steps:

Open your existing application (or create a new one) and go to Single sign-on > SAML > Basic SAML Configuration. Add the new Entity ID and Reply URL provided by Ideagen into the configuration. Save when done.

5. Completing the metadata template

Once your IDP is configured, fill in the metadata template provided by Ideagen. The fields are explained below.

TenantURL — your Workplace Training URL. Example: https://yourcompany.IdeagenWorkplaceTraining.co.uk

Option To Set Up IDP — enter either Option A or Option B from the previous section. Example: Option A

MetadataType — how you are providing your IDP metadata. Enter File if you will attach an XML file, or URL if you will provide a metadata URL. Example: File

MetadataFileName — the filename of your XML metadata file. Must be .xml format and at least four characters. Leave blank if MetadataType is URL. Example: WT-Entra-metadata.xml

MetadataUrl — the SAML metadata URL from your IDP. Leave blank if MetadataType is File. For Microsoft Entra, the format is: https://login.microsoftonline.com/<tenant-id>/federationmetadata/2007-06/federationmetadata.xml?appid=<app-id>

IdpSignOut — enter TRUE to sign users out of your IDP when they log out of Hub. Enter FALSE to disable. Example: FALSE

EncryptedResponses — enter TRUE to encrypt SAML responses. Enter FALSE to disable. Example: TRUE

SignedRequest — enter TRUE to sign SAML requests. Enter FALSE to disable. Example: TRUE

AttributeMappings — maps Hub user fields to your IDP's SAML attributes. Format: hub-attribute:idp-saml-attribute. For multiple mappings, separate each pair with a pipe character.

Note: preferred_username and email are mandatory and must always be included.

Available Hub attributes: address, birthdate, email, email_verified, family_name, gender, given_name, name, nickname, phone_number, phone_number_verified, picture, preferred_username, profile, zoneinfo.

Example: preferred_username:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name|email:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

ProviderName — a display name for your IDP. Must be three to 32 characters, contain only letters, numbers and punctuation, no spaces or underscores, and be unique across all identity providers within your tenant. Example: WT-EntraSSO

Admin / test user accounts — email addresses of the accounts to be migrated in Phase 1. At least one is required. These accounts will receive a welcome email from Hub once migrated and will be used to verify your SSO configuration is working. Use the email address associated with your SSO login. Example: testadmin@yourorg.com

IDP Platform — the name of your IDP platform. Example: Azure Entra AD

Technical contact — name and email of the IT contact responsible for this configuration. Example: Jane Smith, it@yourorg.com

Note: If MetadataType is File, remember to attach the XML metadata file alongside the completed template when you submit.

6. Submitting to Ideagen Support

Once your IDP is configured and your template is complete, submit your configuration to Ideagen Support.

To submit your configuration, follow these steps:

  1. Email your submission to support.IdeagenWorkplaceTraining@ideagen.com.
  2. Attach the completed metadata template.
  3. Attach the IDP metadata XML file if your MetadataType is File.
  4. Include the name of your IDP platform in your message.
  5. Confirm the email addresses of all test user accounts listed in the template.

Important: Phase 2 full user migration will proceed on the scheduled date regardless of submission status. Submit on time to avoid login disruption for your users.

7. Testing your SSO login (Phase 1)

Before you start testing, set the Hub IDP configuration as your default in your IDP portal.

Validation steps

To validate your SSO configuration, follow these steps:

  1. Open the Hub URL from your welcome email in a browser.
  2. Click the SSO sign-in option. The button label will match the ProviderName you entered in the metadata template.
  3. You will be redirected to your organisation's IDP login page. Enter your credentials as usual.
  4. On successful authentication, you will be redirected back to Hub and logged in automatically.
  5. Verify that your user role is correct and your expected content is visible.

Important: Do not use your usual Workplace Training URL for this test. At this stage, the connection between Hub and Workplace Training is not yet active — it will only be enabled once Phase 2 is complete. You are testing that your SSO configuration is working and that users can successfully log in to Hub via your IDP.

Once testing is complete, revert your default IDP setting back to your original configuration. If no issues are reported before Phase 2 begins, migration will proceed as scheduled.

8. Troubleshooting login failures

Before contacting Support, check these common causes:

  • The Entity ID or Reply URL in your IDP does not exactly match what Ideagen provided — check for trailing slashes or extra spaces
  • The test user account has not been assigned to the Hub application in your IDP
  • A firewall rule or Conditional Access policy is blocking the authentication redirect

If you cannot resolve the issue, contact Support with the error message and your IDP platform name. Report all issues before Phase 2 begins. If no issues are reported, Phase 2 will proceed as scheduled.

9. Understanding what happens at Phase 2

All users will be migrated to Hub during the Phase 2 window. Tenants migrate gradually across this period — Ideagen will confirm your specific date in advance.

If you chose Option A (updated your existing application) when configuring your IDP, you will need to set the Entity ID and Redirect URL configured in that step as the default in your IDP before Phase 2 begins. This ensures all users are routed through the correct SSO configuration on login.

If you chose Option B (created a new application) when configuring your IDP, no further changes to your default IDP setting are required before Phase 2.

Once migration is complete, all users will receive a welcome email from Hub and will need to complete a one-time password reset before logging in.

10. Getting support

If you have questions at any point during this process, contact the Workplace Training support team.

Email: support.IdeagenWorkplaceTraining@ideagen.com

Please include your organisation name, the email address of an affected user, a description of the issue, and your IDP platform name. Where possible, include any error messages displayed.

11. Further Reading

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page

Powered by Zendesk