**IMPORTANT** Activating SAML authentication will prevent users from being able to login with an Eduphoria account. If you activate SAML with errors in the configuration setup, you will need to contact the Eduphoria support team to disable SAML due to the fact that you won't be able to log in. Eduphoria's support team must be made aware of when your district is making the configuration change so they can be on standby.
Note: To support electronic signatures with SAML, we must require users to authenticate with the IdP every time they access the software. This ensures that the proper user is logged in if a different user signed a document on the machine earlier.
SAML authentication is optional and is hidden by default. Email support@eduphoria.net to enable the SAML configuration tab.
The following instructions apply to AD FS in Windows Server 2016 and 2019. Some information and screens may look different in older versions.
Eduphoria Configuration
From the home screen in Eduphoria, click the Management icon.
Click on Directory Services in the left pane
Click on the SAML tab
Below are examples of what the SAML2 Single Sign in URI and SAML2 Single Sign out URL should look like. You will need to change the beginning of these URLs to match your ADFS or ADFS WAP URLS
SAML2 Single Sign in URI - https://yourservicename.yourdomainname.com/adfs/ls
SAML2 Single Sign out URI - https://yourservicename.yourdomainname.com/adfs/ls
To acquire the SAML2 Public Signing Certificate first download the metadata file from your ADFS server. Modify the link below and replace "yourservicename.yourdomainname.com" with the URL of your ADFS or ADFS WAP server and put it in a browser.
https://yourservicename.yourdomainname.com/FederationMetadata/2007-06/FederationMetadata.xml
A FedarationMetadata.xml file should download. Open the file and copy the entire value within the first <X509Certificate> tags. Paste the value in the SAML2 Public Signing Certificate box.
DO NOT check the box to Enable SAML2 yet.
Click Save at the top of the page.
ADFS Configuration
In AD FS Management open "Relying Party Trusts". Choose the Action "Add Relying Party Trust...".
On the first screen of the wizard choose "Claims aware" and click Start.
On the next screen, choose "Import data about the relying party online or on a local network". You should enter "https://{districtUrl}.schoolobjects.com/AuthHosted/Saml2/Metadata" and click Next >.
For the display name enter "Eduphoria" and click Next >.
On the next screen, limit permissions to only those who should have access to Eduphoria Apps. This should include most or all staff.
Click next through the remaining screens and exit the configuration.
Configuring Claims
Once complete, right-click on the new Eduphoria Relying party and choose "Edit Claim Issuance Policy...". On the screen that pops up choose Add Rule. A new wizard will start.
On the first screen choose Send Claims Using a Custom Rule from the drop-down list, and click Next >.
Give the claim rule a name ex: "AD Claims". Enter the text below for the Custom Rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory",
types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"),
query = ";givenName,sn,mail,objectGUID,sAMAccountName;{0}", param = c.Value);
Your screen should look like the example below.
Finish the wizard, and click OK on the Claims Issuance Policy window.
Back at the Claim Issuance Policy screen, click Add Rule again. A new wizard will start.
On the first screen choose Send Claims Using a Custom Rule from the drop-down list, and click Next >.
Give the claim rule a name ex: "Name ID". Enter the text below for the Custom Rule:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer,
Value = c.Value, ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
Finish the wizard, and click OK on the Claims Issuance Policy window.
Supporting Student SSO with SAML
ADFS and SAML can be configured to authenticate students as well as staff members. To authenticate students you must meet the following requirements and follow these additional steps.
Requirements:
- Students must log in with a username that matches their student ID from the SIS, or that ID must be present in some AD field.
- Students must be in a single group or in a group that contains all groups of students.
If the above requirements are met, one additional Claim rule can be added to specify an authenticated account is a student.
Back at the Claim Issuance Policy screen, click Add Rule again. A new wizard will start.
On the first screen choose Send Group Membership as a Claim from the drop-down list, and click Next >.
Give the Rule a name like "Student Group as Role". Select a group that would apply to all students.
Choose Role for the outgoing Claim type. For the outgoing value enter "student".
Finish the wizard, and click OK on the Claims Issuance Policy window.
Enable SAML
In Eduphoria, open the Management application, click on Directory Services, select the SAML tab, check the box to Enable SAML2, then click Save at the top.
Your AD FS configuration for Eduphoria should be complete.
Comments
0 comments
Article is closed for comments.