Note: This document references views and actions that are only available to Echo Administrators
SAML authentication can be used to establish a secure single sign-on (SSO) connection between Echo and an external identity provider (IdP). Example, Google. Echo support the use of Single Sign-on (SSO) features to allow users to sign into one application (for example, a student information system) and be automatically logged into Echo without needing to re-enter credentials. This feature can help eliminate the need for teachers an students to remember multiple credentials sets.
Glossary of Terms
Term | Definition |
---|---|
Identity provider (IdP) | The IdP is used to identify users based on credentials. The IdP provides the login screen interface and presents information about the authenticated user to the SP after successful authentication. Examples: Google Apps, ADFS, PowerSchool |
Metadata |
Information about the SP or IdP, often referred to as the SP metadata or IdP metadata. This metadata should provided in the form of XML and is used to inform each other (SP and IdP) about the settings and URLs of the other. |
Security Assertion Markup Language (SAML) |
An XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an IdP and a SP. |
Service provider (SP) |
An SP is a website providing information and other tools to the authenticated user. For these instructions, Echo is the SP. |
Single sign-on (SSO) |
An authentication service that permits a user to use one set of login credentials (e.g., username and password) to access multiple applications. |
How does SAML SSO work?
SAML in Echo is initiated by a user. This is the basic process:
- User selects "Login" from the Echo login webpage.
- NOTE: Echo only supports SP-initiated SSO.
- Echo generates SAML request and redirects the webpage to the IdP.
- IdP receives the SAML request and verifies user. If the user is not already authenticated into the IdP, then the user will be prompted to authenticate.
- IdP sends SAML response to Echo and redirects the webpage to Echo.
- NOTE: Echo requires that the SAML response contains the following attributes:
- Assertion
- NameId (must match the user's Echo username)
- Response
- SessionIndex
- Subject
- Echo receives and verifies SAML response.
- Echo grants user access.
Setting Up SAML Authentication
To set up your SAML authentication: For Google specific please see this doc: How do I set up a custom SAML application using Google SSO
1. Access the SP (Echo) metadata file using the following URL (replace the bold text with your userspace name):
https://api.agilixbuzz.com/SAML/[INSERT USERSPACE]/metadata.xml
2. Go to your IdP and create a new SAML configuration. Each IdP is different in how to configure and setup a new SAML configuration and you may need to consult an expert (or the internet).
3. The IdP will then ask to either (a) enter, (b) upload, (c) copy and paste, or (d) provide the URL to the SP metadata (see step 1). If optional, enter the URL as it could dynamically pull the information into the IdP from the SP, reducing the need for future changes.
4. Once configured and available in your IdP, download the IdP metadata file.
5. Rename the downloaded IdP metadata file to idp-meta.xml .
6. Complete the SAML steps in below using the idp-meta.xml file in step three
7. Attempt to login to Echo using your new SAML integration.
NOTE: Some IdPs do not allow for their service to be loaded inside of another webpage. If your IdP does not load (e.g., blank screen), you may need to select "Open in new window" when configuring the SAML integration in step 6.
Enabling SSO in Echo
- From the Domain detail page, select Domain Settings
- Select Authentication panel.
- Open the Authentication type dropdown:
- If you use CAS, provide the CAS server URL.
- If you use SAML, choose the signature algorithm you want to use and upload the idp-meta XML file. Your SAML provider can tell you which signature algorithm to use; if you can use either, we recommend SHA-256 as it is more secure.
- If you use an integration tool you may be required to enter the appropriate ID
- Domain allows you to point to another domain to use the other domain's SSO configuration. For example, if you configure SAML in a district domain and it is the same SAML to be used for each school (because the users in the SAML is all district users), you can point the school domain to use the districts SAML configuration.
Make sure to select select Open login in a new window
Save
Echo is constantly being improved based on the feedback from users and we strive to keep our documentation up to date. If this document doesn't match what you are seeing in Echo, please let us know.
Comments
0 comments
Please sign in to leave a comment.