Product Developers: Single Sign-On and Authentication

GG4L School Passport can behave as an IdP for your Application. The main scenarios are:

  • Publishing <Login with XYZ> button on the login screen of your Application: In this case, users will initiate SSO by clicking the button on the login screen of your Application and GG4L will federate authentication independent of the authentication provider that customer is using (including Active Directory, AD FS, G Suite, LMS or SIS systems etc).
  • SSO from School Passport / LMS / SIS etc into your Application: In this case, users will initiate SSO from outside of your Application and GG4L will perform SSO based on the technology that you selected.

The supported SSO mechanisms are:

OAuth-based SSO

It is based on the OAuth 2.0 API and is similar to industry-standard implementations from other companies.

Reach out to connectors@gg4l.com and request a test account for implementing OAuth-based SSO. You will be provided with user’s credentials (username and password) and API credentials (Base URL, Client ID and Secret Key).

  • SSO can be initiated by the following URL (use your Client ID and URL of your Application – as redirect_uri):
https://sso.gg4l.com/oauth/auth?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}
  • In response to the initial HTTP GET request, you will receive “code” to “redirect_uri” – according to the Authorization request.
  • This “code” can be used for obtaining OAuth token (server-to-server API call), according to the Access token request:
https://sso.gg4l.com/oauth/token?grant_type=authorization_code&code={code}

Finally, you can read basic profile of a user as described here.

We suggest to use email addresses for identifying users (SIS IDs and GUIDs are available as well).

SAML-based SSO

The supported version is SAML 2.0. Both IdP- and SP-initiated workflows are available.

SAML metadata can be downloaded by the following link.

Reach out to connectors@gg4l.com and provide the following information for SAML:

  • File or URL of SP metadata
  • Confirm SSO initiation type (IdP- or SP-initiated)
  • Confirm the desired NameID format
  • Provide enumeration of additional SAML attributes for assertion
  • Create a test account in your Application and provide its details

Once the email is sent, GG4L Team will set up integration and get back to you with confirmation.

LTI-based SSO

SSO works based on the LTI v1.0 basic-lti-launch-request.

GG4L will send the following sample parameters (plus any additional that are required by your Application):

    lti_version: LTI-1p0
    lti_message_type: basic-lti-launch-request
    user_id=ZYX
    oauth_consumer_key=XYZ
    oauth_signature_method=HMAC-SHA1
    oauth_timestamp=1244834250
    oauth_nonce=1244834250435893000
    oauth_version=1.0
    oauth_signature=Xddn2A%2BjzwjgBIVYkvigaKxCdcc%3D
    oauth_callback=about:blank

Reach out to connectors@gg4l.com and provide the following information for LTI:

  • Application URL (URL on your end for receiving LTI messages)
  • OAuth credentials (Client ID and Secret Key that will be used for signing messages)
  • The details of a test account (including all attributes that need to be included)

Once the email is sent, GG4L Team will set up integration and get back to you with confirmation.

Password Vault SSO

Use this SSO mechanism only if none of the standards-based SSO technologies listed above are supported by your Application. This SSO mechanism is most primitive and less secure. It is based on the password injection / HTTP form submission and requires sending user’s password via HTTPS.

In order to set it up, reach out to connectors@gg4l.com and provide the following information:

  • Login page of your Application
  • Username and Password of a test account
  • Any additional information which is needed for logging in to your Application.

GG4L Team will develop SSO Connector and will get back to you with confirmation.