SLAMM (Sponge Licence and Module Manager) is a training delivery system that makes distributing and accessing modules secure, auditable, and consistent, so you can meet compliance requirements and protect learner data.
This article explains how SLAMM works, what information is exchanged, how your training is protected and performance considerations.
How training is delivered
When you access SLAMM content, here's what happens:
-
Your browser prepares data
- Your LMS user ID is hashed (SHA-256). This is a one way process, which means your original ID cannot be recovered.
-
Request for relayed content
- Your browser sends the hashed ID and relay file ID (from the relay zip file) to Sponge servers using HTTPS, which is a secure way of sending data.
-
Access confirmation
- Sponge checks if your hashed ID has accessed the training before, and whether there are licences available.
-
Training is relayed to you
- If access is allowed, Sponge sends back a token and the location of the content.
- Your browser relays the training content from Sponge servers so you can access it.
Information Sent and Received
| Question | SLAMM Implementation |
| What data is exchanged? | Hashed user ID and relay file ID sent from your browser token and content URL returned from Sponge |
| How is data transmitted | All communication is via HTTPS |
| Encryption Used? | User ID is hashed with SHA-256 (one way, unrecoverable). Communication is encrypted with HTTPS/SSL |
| Third-Party Servers? | All communication and content delivery is done via Sponge servers hosted on AWS. No third party server are involved. |
Performance Considerations
- SLAMM content is delivered from AWS, providing reliable performance.
- Relay files are small and can be tested in an LMS before full deployment.
Click here for example relay file
Technical details - for IT Teams
Data exchanged
- The browser hashes the LMs user ID (unrecoverable) and sends it along with the Relay file ID to Sponge servers.
- The server checks if the hashed ID has accessed the content before and whether licences are available.
- If access is allowed, the server returns a token and the content URL.
- The browser loads the training content in and iframe using the token.
Transmission
- All communication between the browser and Sponge servers is done via HTTPS.
Encryption
- The LMS user ID is hashed using SHA-256
- Communication is encrypted via HTTPS/SSL.
Servers
- All content and communication occur exclusively on Sponge servers hosted on AWS.
- No third-party servers are involved.
Relay files
- Should be tested in an LMS before full deployment to verify launch and behaviour.
Whitelisting
If your organisation is delivering content from SLAMM, ensure the following domain is allowed:
- content.spongelearning.com
For further information on whitelisting and product specifications please visit this article.