Understand how to configure Microsoft’s ADFS SSO for your organization.
In this article
The ADFS Authentication application enables you to sign in to School Passport using Microsoft’s Active Directory Federation Services (ADFS). ADFS provides you with single sign-on access to systems and applications located across trusted organizational units.
- Active Directory Federation Services 2.x, 3.x or 4.x.
- Metadata file accessibles over HTTPS with a certificate signed by a valid certificate authority.
- Whitelisted IP addresses mentioned below in your firewall:
- Real or test user account for testing purposes. It should be a user account whose information is already in School Passport.
To set up SSO, you will need to configure Active Directory. This involves updating two areas: relying party trusts and Claim Rules
Step 1: Add GG4L as a relying party trust
- Contact email@example.com to request the metadata link.
In Server Manager, click Tools > AD FS Management.
In the Actions sections, select Add Relying Party Trust.
- On the Welcome step, select Claims aware and then click Start.
On the Select Data Source step, select Import data about the relying party from a file, paste the provided metadata link, and then click Next.
On the Specify Display Name step, in Display name enter "gg4l.com" and then click Next.
On the Choose Issuance Authorization Rules step, select the Permit all users to access this relying party and then click Next.
- On the Ready to Add Trust step, review the your settings, and then click Next.
On the Finish step, click Close.
The "gg4l.com" now appears in the list of Relying Party Trusts.
Step 2: Create the claim rules
Claim rules define that GG4L matches students and teachers appropriately when they log in.
In the AD FS window, expand the Trust Relationships folder, and then select Relying Party Trusts.
Select GG4L, navigate to the Actions section on the left, and then select Edit Claim Rules.
- On the Edit Claim Rules window, select the Issuance Transform Rules tab, and then click Add Rule.
- On the Choose Rule Type step, select Send LDAP Attributes as Claims and click Next.
- On the Configure Rule step, enter a claim rule name, set Attribute store to Active Directory, and then under Mapping of LDAP attributes to outgoing claim types select the required LDAP Attribute to send and the corresponding Outgoing Claim Type (GG4L field that will be used to match the data in GG4L) types from the drop-down lists. These mappings are crucial for GG4L systems to authenticate the user's login and grant them access to the Legends of Learning through GG4L. The following mappings are required:
LDAP Attribute Outgoing Claim Type
*Must be the first mapping
Name ID http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn UPN http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Given Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress E-Mail Address
Here's an example of fully configured claims rules:
In the Edit Claim Rules window, click OK to save the rule.
After completing the AD FS setup, please provide your SAML IDP metadata XML or a download link to the GG4L Customer Support team.
Note: Locate your Metadata URL in your ADFS Management Console by navigating to Service > Endpoints > Metadata > Type: Federation Metadata. The format of the URL should be:
https://<ADFS server name>/federationmetadata/2007-06/FederationMetadata.xml
Step 3: Activate ADFS SSO in School Passport
- Log in to the School Passport and go to the Connect.
- Go to the Administration > Login Methods.
- Click Add new IdP on the bottom right and choose Microsoft ADFS.
- Click Activate.
Now all users in the organization will be able to log in using the ADFS SSO on the login page.
Login with ADFS
When ADFS SSO is turned on for your district, users with valid Microsoft email addresses can use the ADFS SSO on the login page. This option allows them to sign in to School Passport using their Microsoft ADFS credentials.