Single Sign-On
You can now use SSO (Single Sign-On) with Administrate, be it for accessing the Administrate application itself (Core), or to allow your students to login to your Administrate LMS. Administrate uses OpenID Connect, an open standard for SSO authentication.
Activating this feature eliminates the requirement of an extra username and password to remember for all users involved, allowing for a single method of logging-in to a system provided by services such as:
If there is another service provider you need to use, you’ll need to add and configure them.
Activating Providers
Click on the name of the provider to open the options for activation.
To grant access to the Administrate application with SSO with the provider, click Enabled for Core.
To grant students access to the Administrate LMS with SSO with the provider, click Enabled for LMS.
Google SSO
Google SSO is preconfigured for Administrate so all you need to do is to activate it for Core (the Administrate application itself) and/or the LMS (students’ access). Activating it will grant all valid Google login credentials access to the respective part of Administrate. Once activated, a Login with Google button will appear on the relevant Administrate application login screen, Core or LMS.
When a User first attempts to log in using Google SSO, Google will notify you of permissions that you’ll grant Administrate. Click Accept to continue using Google SSO, or Cancel if you don’t agree to the permissions.
If the login failed, the User will be redirected back to the login screen with the message, No user registered with this email address.
Setting up Azure's SSO
- Log into Azure’s portal (https://portal.azure.com/)
- On the left side bar select Azure Active Directory -> App registrations.
- Click on View all Applications and select the SSO Test one
-
If the Application is not there, please create a new one
- If creating a new application, after creating it add the following URLs to <Your application> → Settings → Reply URLs
- Copy the Application ID as you need it when setting up SSO on Administrate
- Once selected, the registered app click on Settings -> Keys
-
In the passwords section add a new row.
- Key Description:Anything you want
- Duration: Never expires
- Value: leave this one blank
-
Click on save and on the value field of that row you will see a randomly generated string
- Keep note of that string, you won’t be able to see it once you leave that view
- This string represents theOAuth2 Client Secretthat will be required when setting up SSO on Administrate
-
Click on Required permissions
- You should see a table with one row
- Select that row
- Enable "Sign in and read user profile"
- Go to Azure Active Directory -> Properties
Copy the Directory ID. You will need this ID when setting up SSO on Administrate
Administrate Setup
- From the Control Panel, find Login Configuration
- Click on Create Configuration -> OAuth 2.0
- Fill the following fields:
- name: Azure SSO
- Redirect URI: https://login.getadministrate.com/oauth2
- OAuth2 Client ID: Azure Registered App Application ID
- OAuth2 Client Secret: The Randomly generated string that you took note of earlier from Azure
- OAuth2 Auth URI: https://login.microsoftonline.com/<DirectoryID from Azure>/oauth2/authorize
- OAuth2 Token URI: https://login.microsoftonline.com/<DirectoryID from Azure>/oauth2/token
- OAuth2 Userinfo URI:https://login.microsoftonline.com/<DirectoryID from Azure>/openid/userinfo
- Realm: Leave empty
- Scope: openid profile email
- Disable SSL Certificate Validation: Bad idea to check, only use this for testing and not production use
- Enable for Core: check
- Enable for LMS: check
- Click Save
- You should be able to log out and log in with SSO now
Adding a Different SSO Provider
Administrate uses OpenID Connect, an open standard for SSO authentication. Please ensure that your provider is compatible. In addition to your required provider’s documentation, please also check out the Resources for further information and help.
To add an SSO Provider, click +Add.
Hint
Before trying to find and fill out OAuth2 Auth URI, OAuth2 Token URI and OAuth2 Userinfo URI, you should try using the Lookup issuer function which will search for the required information and populate this form with the details where possible. e.g. entering accounts.google.com will look up Google’s required SSO information and populate the appropriate fields.
Default Values for Redirect URI
Unless otherwise directed by Administrate Support, use these values for Redirect URI when configuring Single Sign-On:
- Core Configuration: https://identity.getadministrate.com/oauth2/finalize
- LMS Configuration: https://[your-subdomain].administratelms.com/login
Adding a SAML 2.0 provider (TMS only)
You can add a SAML2 SSO provider by selecting the SAML 2.0 option from the Create Configuration dropdown.
You will be presented with the Create SAML 2.0 configuration modal.
This form allows the user to specify how their SAML 2.0 integration will work. The fields presented allow for the following configuration:
Field |
Description |
Name |
This is the name of this provider. It will be displayed on the “Log in with <provider>” button that appears on the login page |
IDP Entity ID |
This is the Entity ID of your existing SAML 2.0 Identity Provider |
IDP SSO Redirect URL |
This is the Single Sign-On Redirect URL for your Identity Provider. This should already be configured on your Identity Provider |
IDP Public Certificate |
The public part of your SAML 2.0 Identity Provider certificate, entered as text |
Email URN |
The URN of the element in the Assertion from the Identity Provider that specifies where in the Assertion document we can find the email address of the user |
Signs Authentication Request Message |
Indicates whether the Authentication Request messages from Administrate will be signed or not |
Signs Metadata |
Indicates whether the metadata from Administrate will be signed or not |
Signs Messages |
Indicates whether the existing Identity Provider signs messages or not |
Signs Assertions |
Indicates whether the existing Identity Provider signs its Assertions or not |
Sends NameID with Response |
Indicates whether the existing Identity Provider sends its NameID in its response to Administrate |
Encrypts NameID |
Indicates whether the existing Identity Provider encrypts the NameID it responds with |
Encrypts Assertions |
Indicates whether or not the existing Identity Provider encrypts its Assertions |
Once you have completed the initial SAML 2.0 configuration, you will need to contact Administrate Customer Support to obtain your Single sign-on URL and your Audience URI (SP Entity ID). Add these URL's to your SAML 2.0 app to finalize the configuration.
If configured, the SSO SAML 2.0 provider will automatically show up as a login option on your TMS instance.
As with OAuth 2.0 SSO login, a login attempt with SAML 2.0 will be successful if a trusted Identity Provider asserts the identity of a user with the same email address as a User that has been set up in the Administrate TMS. If there is not a user in Administrate with the same email, then SSO login will fail and an error explaining this will be provided on screen.
Note: The SAML 2.0 SSO functionality is only available for the TMS.
FAQ
Frequently Asked Questions about SSO.
I can’t log in through SSO
Please check that the User has the same email address as the authentication service. For example, if logging into Administrate using SSO with rr@yourtraining.com, when your SSO provider has your email registered as rr@googlemail.com, it won’t work. Please make sure that the two systems have the same corresponding credentials.
Resources
Here are some resources for OpenID Connect. Administrate is not responsible for the content or information provided on these resources.
OpenID Connect - The official page of OpenID Connect
Comments
0 comments
Article is closed for comments.