**IMPORTANT** Activating SAML authentication will prevent users from being able to login with a Schoolobjects account. If you activate SAML with errors in the configuration setup, you will need to contact the Eduphoria support team to disable SAML due to the fact that you won't be able to log in. Eduphoria's support team must be made aware of when your district is making the configuration change so they can be on standby.
NOTE: Does not support e-signatures at this time.
SAML authentication is optional and is hidden by default. Email email@example.com to enable the SAML configuration tab.
The following instructions are intended to assist you in setting up F5 as an IDP for logging into Eduphoria with SAML2. This article represents the settings customers have used in their environment to make a successful connection. Some information or screens may look different for your F5 implementation.
From the home screen in Schoolobjects, click the Management icon.
Click on Directory Services in the left pane
Click on the SAML Tab
Below are examples of what the SAML2 Single Sign in URI and SAML2 Single Sign out URL should look like. You will need to change the beginning of these URLs to match your F5 URL configuration.
SAML2 Single Sign in URI - https://yourservicename.yourdomainname.com/saml/idp/profile/redirectorpost/sso
SAML2 Single Sign out URI - https://yourservicename.yourdomainname.com/saml/idp/profile/redirect/sls
To acquire the SAML2 Public Signing Certificate you will need to download the metadata xml file for the F5 SAML connection. Open the file and copy the entire value within the first <X509Certificate> tags. Paste the value in the SAML2 Public Signing Certificate box.
DO NOT check the box to Enable SAML2 yet. Click Save at the top of the page.
Edit idP Service - General Settings
The IdP Entity ID should look like this "https://YourF5URL/idp" replace the YourF5URL with the actual URL to F5 and make sure "https://" is present on the front of the URL.
Add a useful description like "Eduphoria Hosted"
Edit idP Service - SAML Profiles
Check the box for "Web Browser SSO"
Edit IdP Service - Endpoint Settings
There should not be a value selected under "Artifact Resolution Service"
Edit IdP Service - Assertion Settings
Assertion Subject Type should be "Email Address"
Assertion Subject Value should look like the image above and be "userPrincipalName", "samAccountName" may also work here but has not been tested.
Authentication Context Class Reference should match the image above.
Edit IdP Service - SAML Attributes
The SAML Attributes should be emailaddress > mail, givenname > givenName, privatepersonalidentifier > objectGUID, and surname > sn.
You must include "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/" in the Name field before the attribute name as pictured above.
Edit IdP Service - Security Settings
Select an appropriate Signing Key ".key" and matching Signing Certificate ".crt".
You will need to complete this step before exporting the metadata xml file mentioned above.
Edit SAML SP Connector - General Settings
The SP Entity ID should be "urn:eduphoria.schoolobjects.web"
Edit SAML SP Connector - Endpoint Settings
The Relay State and Location URL will be your schoolobjects district url followed by /AuthHosted/Saml2/AssertionConsumerService. Example: "https://district.schoolobjects.com/AuthHosted/Saml2/AssertionConsumerService"
Contact our support team at firstname.lastname@example.org if you are unsure what your schoolobjects district url is.
Edit SAML SP Connector - Security Settings
The Signing Certificate drop down should already be populated with the selection you made on the Edit IdP Service - Security Settings screen.
Check the box for "Response must be signed".
In the Signing Algorithm drop down, select the appropriate algorithm for the certificate you are using. If you are using a publicly valid SSL certificate purchased from a trusted source this should be RSA-SHA256.
In the Encryption Certificate drop down select the appropriate certificate based on what you selected in the Edit IdP Service - Security Settings screen.
Edit SAML Connector - SLO Service Settings
The "Single Logout Request URL" and "Single Logout Response URL" boxes on this page should be blank.
The "Single Logout Binding" drop down should have POST selected.
At this point you are ready to enable SAML2 within Schoolobjects and test the connection. In Schoolobjects, open the Management application, click on Directory Services, select the SAML tab, check the box to Enable SAML2, then click Save at the top.
Your F5 configuration for Eduphoria should be complete. To test it, go to your district schoolobjects URL ex "https://district.schoolobjects.com", you should be redirected to F5 so you can login and then taken to your Applications Home page within Schoolobjects to select an application.