Login Methods
      Back to home
      1. Help Center
      2. SSO
      3. Login Methods

      Login with ADFS

      Understand how to configure Microsoft’s ADFS SSO for your organization.

      In this article

      Requirements

      Сonfiguring ADFS

      Step 1: Add GG4L as a Relying Party Trust

      Step 2: Create the claim rules

      Step 3: Activate login with ADFS in School Passport

      Login with ADFS

      The ADFS Authentication application enables you to sign in to School Passport using Microsoft’s Active Directory Federation Services (ADFS). ADFS provides you with single sign-on access to systems and applications located across trusted organizational units.

      Requirements

      • Active Directory Federation Services 2.x, 3.x or 4.x.
      • Metadata file accessibles over HTTPS with a certificate signed by a valid certificate authority.
      • Whitelisted IP addresses mentioned below in your firewall:

        • 107.23.59.28

        • 52.3.237.162

      • Real or test user account for testing purposes. It should be a user account whose information is already in School Passport.

      Сonfigure ADFS

      To set up SSO, you will need to configure Active Directory. This involves updating two areas: relying party trusts and Claim Rules

      Step 1: Add GG4L as a relying party trust

      1. Contact support@gg4l.com to request the metadata link.

      2. In Server Manager, click Tools AD FS Management.

      3. In the Actions sections, select Add Relying Party Trust.

      4. On the Welcome step, select Claims aware and then click Start.

      5. On the Select Data Source step, select Import data about the relying party from a file, paste the provided metadata link, and then click Next.
        image5

      6. On the Specify Display Name step, in Display name enter "gg4l.com" and then click Next.
        image18

      7. On the Choose Issuance Authorization Rules step, select the Permit all users to access this relying party and then click Next.
        image17

      8. On the Ready to Add Trust step, review the your settings, and then click Next.

      9. On the Finish step, click Close

      The "gg4l.com" now appears in the list of Relying Party Trusts. 

      Step 2: Create the claim rules

      Claim rules define that GG4L matches students and teachers appropriately when they log in.

      1. In the AD FS window, expand the Trust Relationships folder, and then select Relying Party Trusts.

      2. Select GG4L, navigate to the Actions section on the left, and then select Edit Claim Rules.

      3. On the Edit Claim Rules window, select the Issuance Transform Rules tab, and then click Add Rule.
      4. On the Choose Rule Type step, select Send LDAP Attributes as Claims and click Next.
      5. On the Configure Rule step, enter a claim rule name, set Attribute store to Active Directory, and then under Mapping of LDAP attributes to outgoing claim types select the required LDAP Attribute to send and the corresponding Outgoing Claim Type (GG4L field that will be used to match the data in GG4L) types from the drop-down lists. These mappings are crucial for GG4L systems to authenticate the user's login and grant them access to the Legends of Learning through GG4L. The following mappings are required:
        LDAP Attribute  Outgoing Claim Type 

        SAM-Account-Name

        *Must be the first mapping

        		 Name ID
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn UPN 
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Name 
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Given Name
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress E-Mail Address

        Here's an example of fully configured claims rules:
        image6

      6. Click Finish.

      7. In the Edit Claim Rules window, click OK to save the rule.

      8. After completing the AD FS setup, please provide your SAML IDP metadata XML or a download link to the GG4L Customer Support team.

      Note: Locate your Metadata URL in your ADFS Management Console by navigating to Service > Endpoints > Metadata > Type: Federation Metadata. The format of the URL should be:

      https://<ADFS server name>/federationmetadata/2007-06/FederationMetadata.xml

      Step 3: Activate ADFS SSO in School Passport

      1. Log in to the School Passport and go to the Connect.
      2. Go to the Administration > Login Methods.
      3. Click Add new IdP on the bottom right and choose Microsoft ADFS.
        Add Identity Provider
      4. Click Activate

      Now all users in the organization will be able to log in using the  ADFS SSO on the login page.

      Login with ADFS

      Login with ADFS

      When ADFS SSO is turned on for your district, users with valid Microsoft email addresses can use the ADFS SSO on the login page. This option allows them to sign in to School Passport using their Microsoft ADFS credentials.