Skip to main content

SAML2 - Setup Guide

This guide details SAML 2.0 SSO setup between any IdP and our SP. Follow these sections for success.

Updated over 3 weeks ago

I. Information About Our Service Provider (SP)

Use the following details to configure our application as a trusted Service Provider within your Identity Provider system.

  • SP Metadata URL:

    • https://sia-sso.azurewebsites.net/Saml2

      • This URL contains all our SP configuration data, including the Entity ID and Assertion Consumer Service URL. Using this metadata URL is often the easiest way to configure your IdP.

  • SP Entity ID:

    • https://sia-sso.azurewebsites.net/Saml2

      • This is the unique identifier for our service.

  • Assertion Consumer Service (ACS) URL (Reply URL):

    • https://sia-sso.azurewebsites.net/Saml2/Acs

      • This is the endpoint where your IdP will send SAML assertions.

  • ACS URL Bindings Supported:

    • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

    • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

  • NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

    • Your IdP must support sending the NameID in this email address format, typically within the assertion's Subject. We also support urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress.

  • Required Attributes (Claims): Your IdP must be configured to send the following attributes in the SAML assertion. Please ensure the attribute names (Claim Types) match. Attribute values for roles are case-sensitive.

Claim Type (Attribute Name)

Description

Optional

Expected NameFormat (Example)

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

User’s email address

No

urn:oasis:names:tc:SAML:2.0:attrname-format:uri

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

User’s first name

No

urn:oasis:names:tc:SAML:2.0:attrname-format:uri

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

User’s last name

No

urn:oasis:names:tc:SAML:2.0:attrname-format:uri

http://schemas.microsoft.com/ws/2008/06/identity/claims/role

User’s role (for access)

Yes

urn:oasis:names:tc:SAML:2.0:attrname-format:uri

II. Information We Need From Your Identity Provider (IdP)

To add your Identity Provider (IdP) to our system, please provide us with the following information. Supplying your IdP Metadata URL is the preferred method as it typically contains all the necessary details.

  • IdP Metadata URL (Preferred)

    • If you provide this URL, you may not need to provide the individual items below unless we specifically request them.

  • IdP Entity ID

  • Single Sign-On (SSO) URL (also called Login URL)

  • SSO URL Binding (e.g., HTTP-POST, HTTP-Redirect)

  • SAML Signing Certificate (Public Key):

    • Please provide your IdP's X.509 signing certificate. This is used by our system to verify the signature of the SAML assertions sent by your IdP.

    • Accepted formats: .cer, .pem, or the certificate embedded within your IdP Metadata XML.

  • Attribute Mapping Confirmation (If Necessary):

    • If your IdP uses different attribute names (Claim Types) for the required information (email, first name, last name, role) than those listed in Section I, please provide a mapping.

III. Role Mapping (Optional)

If you will be sending the "Role" claim (http://schemas.microsoft.com/ws/2008/06/identity/claims/role), please provide a list of the possible role values your IdP can send and how they should be mapped to roles within our system. Please note that role values sent from your IdP are case-sensitive. The accepted roles in our system are:

  • Administrator

  • Teacher

  • Staff

  • Parent/Guardian

  • Student

  • Other

For more information on what each role has access to, please visit our Roles & Permissions Overview page.

  • Example:

    • Your IdP Role Value: Faculty_Staff_Admin -> Edlio Role: Administrator

    • Your IdP Role Value: Student_Current -> Edlio Role: Student

  • Your Role Mappings:

    • [Your IdP Role Value] -> [Corresponding Edlio Role]

    • [Your IdP Role Value] -> [Corresponding Edlio Role]

    • (Add more lines as needed)

  • Default Role: Other

    • This role will be assigned to any user for whom a role is not explicitly mapped or if the role claim is not provided by your IdP.

IV. Testing the Connection

After the SAML 2.0 connection details have been exchanged and configured on both sides, we will reach out to you. You can then attempt to log in to verify the connection.

V. Support & Troubleshooting

If you encounter any issues during the SAML configuration or have any questions, please contact our support team.

Common Troubleshooting Tips:

  • Clock Skew: Ensure that the system clocks on your IdP server and our servers are synchronized. SAML assertions are time-sensitive.

  • Certificate Issues: Verify that the correct IdP signing certificate has been provided to us and is not expired.

  • ACS URL Mismatch: Double-check that the Assertion Consumer Service (ACS) URL configured in your IdP exactly matches the one provided in Section I.

  • Entity ID Mismatch: Ensure the Entity IDs for both the SP and IdP are correctly configured on both sides.

  • Attribute Release: Confirm that your IdP is configured to release all required attributes (claims) as specified in Section I.

Did this answer your question?