This feature authenticates users using the SAML protocols for SSO. It simplifies password management, increases security, and allows students to log into AccuCampus from a unique college portal, rather than a separate webpage/URL. This article will explain how to do this.
Previous knowledge of IdP (Identity Provider) systems will be required for this article.
Configuring the IdP/SAML Server
To configure an Identity Provider (IdP), the AccuCampus SAML Metadata XML is required. It can be created using this XML code:
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:OrganizationName xml:lang="en-US">Engineerica Systems</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en-US">Engineerica Systems Inc.</md:OrganizationDisplayName>
1. Start by copying all the metadata from the code above into notepad, then replacing the blue highlighted information above with (1) your domain (instead of mycollege) as well as (2.) the key given to you by your account support rep (we are working on a button to be added in the future to provide this account key) you'll have generated your SAML Metadata file. Then save the updated code above as an XML file to be loaded in your IdP.
2. Next, upload the XML file to your IdP authentication server.
3. Set the IdP up to send the email (that we use to identify them) in the NameID field under the Subject tag.
It's important to note that the NameID doesn't have an attribute, but the tag that's defined under the Subject node/tag in the XML does.
The SAML authentication request should appear in a numbered sequence with the code in the following image.
Configuring Active Directory Federation Services (ADFS)
To send the NameID in the Subject tag:
1. Go to AD FS Management and navigate to Trust Relationships > Claims Provider Trusts , then right-click on the provider and select Edit Claim Rules.
2. Click the Add Rule button, and add the "employee email" rule.
3. Send the LDAP attribute as a claim by creating a rule of type "Send LDAP Attributes as Claims." Set the desired attribute to authenticate from the AD. For example, the Employee Email.
4. Finally, transform the NameID to the Subject as a second rule.
For more information watch the following video.
SAML Single Sign-On Setup in AccuCampus
To set up SAML SSO please go to your Advanced Options->Settings->Account Settings > Single Sign-On page.
Read carefully over the items on this page and complete the required fields with the explanations given below.
AccuCampus - SAML SSO Settings
Enabled - Simply check this option when you are ready to enable SAML Single Sign-On authentication in your account.
Server URL - This is a required field where you will type in the Redirect URL given by your IDP's metadata. Typically referred to as the "LoginURL" in your metadata XML file.
Certificate - This is a required field that is your Identity Provider's website certificate so AccuCampus knows that we are sending users to the correct "LoginURL". Remember to copy and paste into this field all the information maintaining the "---BEGIN CERTIFICATE---" and "---END CERTIFICATE---" in the certificate information if using the PEM format. The X509 Certificate will work here as well.
Session expires when inactive - This setting specifies whether the session expires after being idle for the time specified in the “session timeout setting”.
Warning! A link will provide you access to configure this "session timeout setting" but be sure to save your information first before using it.
Logout URL - Users will be redirected to this URL when they log out of the AccuCampus.net website. Typically referred to as the "LogoutURL" in your metadata XML file.
Login Error URL - Optionally provide users an "ErrorURL" where they will be redirected if they encounter an error at login. The error message will be sent in the query string using the parameter name defined below.
NOTE: If no Error Parameter Name is defined in the next field then it will send them with the parameter of "Error". Here's an example:
https://www.mycollege.edu/sso-error-page-setup-in-the-IDP? Error ="User Not Found matching username: firstname.lastname@example.org"
Error Parameter Name - Also optional, t his works with the one above it and is used if you want to specify a custom parameter name used to send the error message in the query string. As stated above the default parameter is sent using "Error" if not defined.