EdAlive Central (Schools) - SSO - Azure App Setup Process

EdAlive Central (Schools) - SSO - Azure App Setup Process

 ⚠️ Please make sure to delete any existing EdAlive Central Azure applications before creating a new one.

 

Azure App Setup Process in Summary

  1. Add a New Non-gallery Enterprise Application
  2. Configure the Single sign-on SAML settings as:
    1. Basic SAML Configuration
      1. Identifier (Entity ID)  ->  https://central.edalive.com/api/saml2/metadata
      2. Reply URL (Assertion Consumer Service URL)  ->  https://central.edalive.com/api/saml2/acs
      3. Sign on URL  ->  https://central.edalive.com/auth/login
      4. Relay State  ->  Optional
      5. Logout Url  ->  https://central.edalive.com/api/saml2/sls
    2. User Attributes & Claims
      1. givenname -> user.givenname
      2. surname -> user.surname
      3. emailaddress -> user.mail
      4. name -> user.userprincipalname
      5. Unique User Identifier (Name ID)
        1. ⚠️ Edit the claim, set the identifier format to Persistent.
        2. Source attribute -> user.objectid (recommended) or user.userprincipalname
      6. Add a group claim
        1. All groups
        2. Group ID
    3. Assign Users and Groups access to the EdAlive Central Azure application
    4. Use this link ->  Click Here to use the Azure SSO Setup Template Email  to send us:
      1. The App Federation Metadata URL:
      2. The teacher group Object Id(s):
      3. The student group Object Id(s):
      4. Each School/campus name and group Object Id (when one Azure account hosts multiple schools/campuses):
      5. Domain name portion of email addresses
        1. Teachers:
        2. Students (if different to teachers):
      6. Sample Student Username:
      7. Sample Student Password:
  3. Wait for confirmation from us to confirm setup has been completed on our end.
  4. Test the SAML logins.

Azure App Setup Process in Detail

Use the screenshots below to help you set up a  Non-gallery Enterprise Application for EdAlive Central Single Sign On. The images can be clicked to enlarge and then using the magnifying glass in the top right corner to zoom in further.

All of the steps are performed in Microsoft Azure. To begin, log into your administrator account.

Add the EdAlive Central Application

In the Azure Portal, on the left of the screen, click “Enterprise Applications”.
You will see the following page:

Add a new application by clicking the "New application" button near the top of the page.
You will see the following page:

Clicking the "Non-gallery application" button near the centre of the page.
You will see the following page:

Name the new application “EdAlive Central” and then click “Add” on the bottom of the page.
You will see the following page:

Next, click the ‘Single sign-on” button on the centre-left of the screen.
You will then see these four options:

Click the “SAML” option.
You will see the following page:

Setup SAML

Firstly, edit the "Basic SAML Configuration" section.
Set the following:
  1. Identifier (Entity ID) -> https://central.edalive.com/api/saml2/metadata
  2. Reply URL (Assertion Consumer Service URL) -> https://central.edalive.com/api/saml2/acs
  3. Sign on URL -> https://central.edalive.com/auth/login
  4. Logout Url -> https://central.edalive.com/api/saml2/sls
After you adjust the settings appropriately, the Basic SAML Configuration box should look like this:

Configure User Attributes

Next, click "Edit" on the "User Attributes & Claims" section.
You will see the following page:

Configure SAML Name ID

Edit the Required Claim "Unique User Identifier (Name ID)".
You will see the following page:
Change the Identifier format from Email Address to Persistent.
For the "Source attribute", you can either set it to "user.objectid" or "user.userprincipalname" (UPN).
We recommend "user.objectid".

Here is some information about both options:
The Name ID value is store on EdAlive Central user accounts, and is used to identify and match existing EdAlive Central user accounts both during SAML logins and when a school admin account is performing a student SAML import.  A student SAML import can be performed for the purposes of provisioning student accounts before their first SAML login, and for organising existing student accounts into their class groups in EdAlive Central.
The disadvantage of using the UPN source attribute is that, being an email address, the UPN could potentially change, such as when a student adopts a new surname. If the Name ID attribute changes, then the link to that user's EdAlive Central user account would be broken. On the other hand, "user.objectid" is persistent for as long as that user account exists in Azure, regardless of changes to other Azure user attributes.
The disadvantage of using the "user.objectid" source attribute is that classroom teachers and non-IT school administrators may not have access to the Azure object IDs of their students, making it more difficult to manage spreadsheets of their students for the purpose of student SAML imports. On the other hand, it may be easier for teachers to manage spreadsheets containing student emails.
When the "Source attribute" has been set, click "Save".

Configure a Group Claim

A group claim will identify whether an account that is first logging in to EdAlive Central either a teacher or a student.
For Azure SAML setups that serve multiple schools, such as a network of private schools, a group claim will also identify which EdAlive Central school account a user should be a member of.

Returning to the "User Attributes & Claims" page, click "Add a group claim".
You will see the following panel on the right-hand side of the page:
Selecting “All groups” for the first option is the simplest approach.
However, depending on the types of groups used in Azure by individual schools or multi-school networks, it might be sufficient for the purposes outlined above to select a different option which only includes those types of group in the user claims.
Click "Save".
Close the "User Attributes & Claims" page by clicking the "X" in the top right-hand corner.

Federation Metadata URL

Copy the App Federation Metadata URL in section "3 - SAML Signing Certificate", which will need to be sent to EdAlive to complete the SAML setup for your school in EdAlive Central.
 

Assign Users and Groups to the EdAlive Central application

To allow the school's Azure user accounts to access the EdAlive Central application, they will need to be assigned to it.
Click the "Users and groups" button in the left-hand menu, and then click "Add user/group".
Assign the users and groups.

Send EdAlive the Azure SSO Setup Information

  1. The App Federation Metadata URL:

  2. The teacher group Object Id(s):

  3. Each School/campus name and group Object Id (when one Azure account hosts multiple schools/campuses):

  4. Domain name portion of email addresses

    1. Teachers:

    2. Students (if different to teachers):

  5. Sample Student Username:

  6. Sample Student Password:

Wait for EdAlive staff to reply and confirm that your Azure SAML Setup has been completed.

Test the SAML Logins

Click the "Single sign-on" button in the left-hand menu.
In section "5 - Test single sign-on with EdAlive Central", click the "Test" button, and follow the prompts to test the SAML login process.

This completes the application setup.

      Download the PDF Guide


        Download the PDF Guide


          Download the PDF Guide

            Download the PDF Guide


              Download the PDF Guide

                Download the PDF Guide

                  Download the PDF Guide

                    Download the PDF Guide