Login with ADFS

Understand how to configure Microsoft’s ADFS SSO for your organization.

In this article


Сonfiguring ADFS

Step 1: Add GG4L as a Relying Party Trust

Step 2: Create the claim rules

Step 3: Activate login with ADFS in School Passport

Login with ADFS

The ADFS Authentication application enables you to sign in to School Passport using Microsoft’s Active Directory Federation Services (ADFS). ADFS provides you with single sign-on access to systems and applications located across trusted organizational units.


  • Active Directory Federation Services 2.x, 3.x or 4.x.
  • Metadata file accessibles over HTTPS with a certificate signed by a valid certificate authority.
  • Whitelisted IP addresses mentioned below in your firewall:


  • Real or test user account for testing purposes. It should be a user account whose information is already in School Passport.

Сonfigure ADFS

To set up SSO, you will need to configure Active Directory. This involves updating two areas: relying party trusts and Claim Rules

Step 1: Add GG4L as a relying party trust

  1. Contact support@gg4l.com to request the metadata link.
  2. In Server Manager, click Tools AD FS Management.

  3. In the Actions sections, select Add Relying Party Trust.

  4. On the Welcome step, select Claims aware and then click Start.
  5. On the Select Data Source step, select Import data about the relying party from a file, paste the provided metadata link, and then click Next.

  6. On the Specify Display Name step, in Display name enter "gg4l.com" and then click Next.

  7. On the Choose Issuance Authorization Rules step, select the Permit all users to access this relying party and then click Next.

  8. On the Ready to Add Trust step, review the your settings, and then click Next.
  9. On the Finish step, click Close

The "gg4l.com" now appears in the list of Relying Party Trusts. 

Step 2: Create the claim rules

Claim rules define that GG4L matches students and teachers appropriately when they log in.

  1. In the AD FS window, expand the Trust Relationships folder, and then select Relying Party Trusts.

  2. Select GG4L, navigate to the Actions section on the left, and then select Edit Claim Rules.

  3. On the Edit Claim Rules window, select the Issuance Transform Rules tab, and then click Add Rule.
  4. On the Choose Rule Type step, select Send LDAP Attributes as Claims and click Next.
  5. On the Configure Rule step, enter a claim rule name, set Attribute store to Active Directory, and then under Mapping of LDAP attributes to outgoing claim types select the required LDAP Attribute to send and the corresponding Outgoing Claim Type (GG4L field that will be used to match the data in GG4L) types from the drop-down lists. These mappings are crucial for GG4L systems to authenticate the user's login and grant them access to the Legends of Learning through GG4L. The following mappings are required:
    LDAP Attribute  Outgoing Claim Type 


    *Must be the first mapping

    Name ID
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn UPN 
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Name 
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Given Name
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress E-Mail Address

    Here's an example of fully configured claims rules:

  6. Click Finish.

  7. In the Edit Claim Rules window, click OK to save the rule.

  8. After completing the AD FS setup, please provide your SAML IDP metadata XML or a download link to the GG4L Customer Support team

Note: Locate your Metadata URL in your ADFS Management Console by navigating to Service > Endpoints > Metadata > Type: Federation Metadata. The format of the URL should be:

https://<ADFS server name>/federationmetadata/2007-06/FederationMetadata.xml

Step 3: Activate ADFS SSO in School Passport

  1. Log in to the School Passport and go to the Connect.
  2. Go to the Administration > Login Methods.
  3. Click Add new IdP on the bottom right and choose Microsoft ADFS.
    Add Identity Provider
  4. Click Activate

Now all users in the organization will be able to log in using the  ADFS SSO on the login page.

Login with ADFS

Login with ADFS

When ADFS SSO is turned on for your district, users with valid Microsoft email addresses can use the ADFS SSO on the login page. This option allows them to sign in to School Passport using their Microsoft ADFS credentials.