The Single Sign-on (SSO) authentication method is a paid Talent2Go add-on and allows you and all other Talent2Go users from your company to log in once and then access multiple applications and services without having to authenticate again. The login information is managed centrally, which contributes to increased security.
In the following article, you will learn how to set up SSO with Microsoft Entra ID in Talent2Go.
Requirements:
You need a Talent2Go and Microsoft Entra ID - Administrator access, as well as the booked Talent2Go add-on SSO to set up Single Sign-on.
Section 1 - Add Talent2Go at Micosoft to your company applications
Log in to your Microsoft Entra ID Admin Center
Select the Microsoft Entra ID service in the left navigation area.
Select “Enterprise Applications” from the left menu
Click on “New application”
Click on “Create your own application”
Select “Talent2Go” as the name and the option “Integrate any other application not found in the catalog”
Click on “Manage” in the left menu and then on “Properties”, here you can upload the Talent2Go icon for better identification. You can download the corresponding file in the correct dimensions here.
Section 2 - Preparing the Talent2Go SAML configuration
Log in to Talent2Go
Select the menu item Settings and switch to the company settings (appropriate rights required)
Select the SSO tab
Leave this browser tab open to be able to access the settings quickly and easily in the later steps.
Section 3 - Configuration of Entra ID SSO
Go to the company applications and select the previously created app “Talent2Go!”
Click on “Manage”, “Single sign-on” and “SAML”
Click on the pencil icon (Edit) under “Basic SAML configuration”
Switch to Talent2Go, copy the values one by one and paste them into Microsoft (see image) and click on save.
Section 4 - Entra ID SSO configuration
Once you have saved the basic SAML configuration, you should return to the SSO “Single Sign-On” page in the Entra portal, we recommend refreshing the page before continuing with the instructions.
Next, you need to download the certificate (Base64) and open the downloaded certificate file in a text editor.
Copy the content of the Base64 certificate file and paste it into Talent2Go. To do this, click on the pencil and then fill in all the corresponding fields, see images:
Once you have entered everything, check the “Active” box and click “Save”. If everything is correct, a green tick will appear.
Section 5 - Creating user roles and assigning users
The next steps are in preparation for setting up the SCIM deployment
Go back to the Microsoft Entra ID portal and select Talent2Go from the company applications.
Look for the “Manage” section in the left menu and select “Users and Groups”.
Click on “Application registration”
Display name: Superadmin
Allowed member types: Users / Groups
Value: superadmin
*User role “superadmin” is only 1 user per company
Display name: Admin
Allowed member types: Users / Groups
Value: admin
Display name: B2B Trainee
Allowed member types: Users / Groups
Value: azubi
Display name: Trainer
Allowed member types: Users / Groups
Value: instructor
Display name: HR
Allowed member types: Users / Groups
Value: hr
Display name: Management
Allowed member types: Users / Groups
Value: management
Display name: Responsible learning station
Allowed member types: Users / Groups
Value: responsible_learning_station
The following applies to individual roles that you have created in Talent2Go:
Display name: (freely selectable - will not be transferred to Talent2Go, only for your overview)
Permitted member types: Users / Groups
Value: (name of the individual role)
e.g:
Display name: Training mentor Elektro
Permitted member types: Users / groups
Value: ausbildungspate_elektro
Case 1 = If the user-defined role “Electrical training mentor” has not yet been created in Talent2Go, the role with the name “Electrical training mentor” is created in Talent2Go. In this case, all authorizations of the new role are set to “May not see”. The authorizations can be subsequently adjusted by an admin. The value “ausbildungspate_elektro” is automatically converted to “Abteilungsleiter Elektro” by the application.
Case 2 = You could also first create a user-defined role “Electrical training mentor” in Talent2Go, adjust the permissions and then add an app role with the following values in Microsoft:
Display name: Electrical training mentor
Permitted member types: Users / Groups
Value: ausbildungspate_elektro
Important: The word separation for “value” should only be done using the character “_” (underscore).
Once the roles have been created, you can return to “Users and groups”, assign yourself the “superadmin” app role and continue with the final steps in these instructions. At this point, you could also add all other people and assign the roles.
Important when changing roles: The user roles can technically be changed both at Talent2Go and at Microsoft (e.g. from instructor to responsible learning station).
Please note that you should make adjustments directly in Microsoft. A change in Talent2Go would be overwritten by Microsoft after the next login.
Section 6 - Validate and save
Make sure that your Microsoft Entra ID Active Directory user matches the Talent2Go user's email address, Talent2Go uses the user email as the identifier for SSO.
To test and validate the SAML configuration, go to the application you created, search for Manage on the left side and select Single Sign-On.
Click the Test button at the bottom of the page.
A new window will appear on the right hand side, click the “Test Login” button to start the test for the current user.
Another tab should open in a few seconds, sign in with your Microsoft account and verify that you are logged in to Talent2Go as the correct user in the correct entity. If everything works, you are done with the SAML configuration.
FAQ
Is it possible to log in to Talent2Go as a company user (e.g. trainee or trainer) without first being manually added to Talent2Go by an admin?
Is it possible to log in to Talent2Go as a company user (e.g. trainee or trainer) without first being manually added to Talent2Go by an admin?
Yes, as soon as you have added a user to the created Microsoft App Talent2Go via Microsoft Entra, the user can log in to Talent2Go and is automatically assigned to your company account. Please note that you will need to add the master data afterwards.
Can our trainees or other roles in our company use the “Continue with Microsoft Account” function to log in?
Can our trainees or other roles in our company use the “Continue with Microsoft Account” function to log in?
No, unfortunately this is not technically possible. Login is either via the user ID (e-mail and password) or via the Microsoft app.
We want to let our internal IT department set up SSO via Microsoft Entra, how do we do this?
We want to let our internal IT department set up SSO via Microsoft Entra, how do we do this?
This is not a problem. As an administrator, you can simply create an individual role first, e.g. “IT support”. Now you can adjust the authorizations, the authorization for “Company settings” is important, here “May view and edit” must be selected. You can then invite the person in question via the master data and they can make the settings.
Does the Microsoft Entra connection also work in combination with other integrations?
Does the Microsoft Entra connection also work in combination with other integrations?
Yes, it is possible to use Microsoft Entra in addition to another integration. Users who are only registered with Microsoft then log in via Enta ID. Users who are only registered with the integration will receive an email with a password during synchronization and can log in via login/password.
Users who are registered with both Microsoft and the integration receive an e-mail with a password during synchronization and can log in via login/password as well as via Enta ID. In the latter case, it is important that the e-mail addresses are the same.