How do I set up SAML authentication for my domain?

Note: This document references views and actions that are only available to Echo Administrators

SAML authentication can be used to establish a secure single sign-on (SSO) connection between Echo and an external identity provider (IdP).  Example, Google or Clever. Echo support the use of Single Sign-on (SSO) features to allow users to sign into one application (for example, a student information system) and be automatically logged into Echo without needing to re-enter credentials. This feature can help eliminate the need for teachers an students to remember multiple credentials sets.

Glossary of Terms

Term Definition
Identity provider (IdP) The IdP is used to identify users based on
credentials. The IdP provides the login
screen interface and presents information
about the authenticated user to the SP
after successful authentication.
Examples: Google Apps, ADFS,
PowerSchool
Metadata
Information about the SP or IdP, often
referred to as the SP metadata or IdP
metadata. This metadata should provided
in the form of XML and is used to inform
each other (SP and IdP) about the settings
and URLs of the other.
Security Assertion Markup Language
(SAML)
An XML-based, open-standard data format
for exchanging authentication and
authorization data between parties, in
particular, between an IdP and a SP.
Service provider (SP)
An SP is a website providing information
and other tools to the authenticated user. For these instructions, Echo is the SP.
Single sign-on (SSO)
An authentication service that permits a
user to use one set of login credentials
(e.g., username and password) to access
multiple applications.

 

 

Setting Up SAML Authentication

To set up your SAML authentication: For Google specific please see this doc: How do I set up a custom SAML application using Google SSO

1. Access the SP (Echo) metadata file using the following URL (replace the bold text with your userspace name):

https://api.agilixbuzz.com/SAML/[INSERT USERSPACE]/metadata.xml

2. Go to your IdP and create a new SAML configuration. Each IdP is different in how to configure and setup a new SAML configuration and you may need to consult an expert (or the internet).

3. The IdP will then ask to either (a) enter, (b) upload, (c) copy and paste, or (d) provide the URL to the SP metadata (see step 1). If optional, enter the URL as it could dynamically pull the information into the IdP from the SP, reducing the need for future changes.

4. Once configured and available in your IdP, download the IdP metadata file.

5. Rename the downloaded IdP metadata file to idp-meta.xml .

6. Complete the SAML steps in below using the idp-meta.xml file in step three

7. Attempt to login to Echo using your new SAML integration.

NOTE: Some IdPs do not allow for their service to be loaded inside of another webpage. If your IdP does not load (e.g., blank screen), you may need to select "Open in new window" when configuring the SAML integration in step 6.

Enabling SSO in Echo

  1. From the domain detail page, select Edit Settings
  2. Select Integrations.
  3. Open the Authentication type dropdown under Authentication:
    • If you use CAS, provide the CAS server URL.
    • If you use SAML, choose the signature algorithm you want to use and upload the idp-meta XML file. Your SAML provider can tell you which signature algorithm to use; if you can use either, we recommend SHA-256 as it is more secure.
    • If you use Clever and enter the appropriate Clever ID
    • Domain allows you to point to another domain to use the other domain's SSO configuration.  For example, if you configure SAML in a district domain and it is the same SAML to be used for each school (because the users in the SAML is all district users), you can point the school domain to use the districts SAML configuration.

 

  1. Click Save.

Echo is constantly being improved based on the feedback from users and we strive to keep our documentation up to date.  If this document doesn’t match what you are seeing in Echo, please let us know.

Documentation for Prior Interface

Enable users to sign into Echo with their school credentials

Echo supports the use of Single Sign-on (SSO) features to allow users to sign into one application (for example, a student information system) and be automatically logged into Echo without needing to re-enter credentials. This feature can help eliminate the need for teachers and students to remember multiple credential sets.

 

  1. Open Settings in the Domain toolbar.

Configure SSO

Configure SSO
  1. Select Integrations.
  2. Open the Authentication type dropdown under Authentication:
    • If you use CAS, provide the CAS server URL.
    • If you use SAML, choose the signature algorithm you want to use and upload the idp-meta XML file. Your SAML provider can tell you which signature algorithm to use; if you can use either, we recommend SHA-256 as it is more secure.
  3. Click Save.
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.