**IMPORTANT** Activating SAML authentication will prevent users from being able to login with a Schoolobjects account. If you activate SAML with errors in the configuration setup, you will need to contact the Eduphoria support team to disable SAML due to the fact that you won't be able to log in. Eduphoria's support team must be made aware of when your district is making the configuration change so they can be on standby.
**NOTE** To support electronic signatures with SAML we must require users to authenticate with the IdP every time they access the software. This ensures that the proper user is logged in if a different user signed a document on the machine earlier.
SAML authentication is optional and is hidden by default. Email support@eduphoria.net to enable the SAML configuration tab.
The following instructions apply to AD FS in Windows Sever 2016 and 2019. Some information and screens may look different in older versions.
Schoolobjects Configuration
From the home screen in Schoolobjects, click the Management icon.
Click on Directory Services in the left pane
Click on the SAML tab
Below are examples of what the SAML2 Single Sign in URI and SAML2 Single Sign out URL should look like. You will need to change the beginning of these URLs to match your ADFS or ADFS WAP URLS
SAML2 Single Sign in URI - https://yourservicename.yourdomainname.com/adfs/ls
SAML2 Single Sign out URI - https://yourservicename.yourdomainname.com/adfs/ls
To acquire the SAML2 Public Signing Certificate first download the metadata file from your ADFS server. Modify the link below and replace "yourservicename.yourdomainname.com" with the URL of your ADFS or ADFS WAP server and put it in a browser.
https://yourservicename.yourdomainname.com/FederationMetadata/2007-06/FederationMetadata.xml
A FedarationMetadata.xml file should download. Open the file and copy the entire value within the first <X509Certificate> tags. Paste the value in the SAML2 Public Signing Certificate box.
DO NOT check the box to Enable SAML2 yet.
Click Save at the top of the page.
ADFS Configuration
In AD FS Management open "Relying Party Trusts". Choose the Action "Add Relying Party Trust...".
On the first screen of the wizard choose "Claims aware" and click Start.
On the next screen, choose "Import data about the relying party online or on a local network". You should enter "https://{districtUrl}.schoolobjects.com/AuthHosted/Saml2/Metadata" and click Next >.
For the display name enter "Eduphoria" and click Next >.
On the next screen, limit permissions to only those who should have access to Eduphoria Apps. This should include most or all staff.
Click next through the remaining screens and exit the configuration.
Configuring Claims
Once complete, right click on the new Eduphoria Relying party and choose "Edit Claim Issuance Policy...". On the screen that pops up choose Add Rule. A new wizard will start.
On the first screen choose Send Claims Using a Custom Rule from the drop down list, and click Next >.
Give the claim rule a name ex: "AD Claims". Enter the text below for the Custom Rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"] => issue(store = "Active Directory",
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"),
query = ";givenName,sn,mail,objectGUID;{0}", param = c.Value);
Your screen should look like the example below.
Finish the wizard, and click OK on the Claims Issuance Policy window.
Back at the Claim Issuance Policy screen, click Add Rule again. A new wizard will start.
On the first screen choose Send Claims Using a Custom Rule from the drop down list, and click Next >.
Give the claim rule a name ex: "Name ID". Enter the text below for the Custom Rule:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer,
Value = c.Value, ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
In Schoolobjects, open the Management application, click on Directory Services, select the SAML tab, check the box to Enable SAML2, then click Save at the top.
Your AD FS configuration for Eduphoria should be complete.
Comments
0 comments
Article is closed for comments.