AccuCampus: How to set up SAML SSO authentication?

AccuCampus: How to set up SAML SSO authentication?

Introduction

This feature authenticates users using the SAML protocols for SSO. It simplifies password management, increases security, and allows students to log into AccuCampus from a unique college portal, rather than a separate webpage/URL. This article will explain how to do this.
Previous knowledge of IdP (Identity Provider) systems will be required for this article.

Pre-requisites

Configuring the IdP/SAML Server

To configure an Identity Provider (IdP), the AccuCampus SAML Metadata XML is required. It can be created using this XML code:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     cacheDuration="PT604800S"
                     entityID="https://accucampus.net">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                Location="https://accucampus.net/login?domain=mycollege" />
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://accucampus.net/saml/?a=691efc37-3e36-f5c4-47a7-014ac09ae835" index="1" />
    </md:SPSSODescriptor>
    <md:Organization>
        <md:OrganizationName xml:lang="en-US">Engineerica Systems</md:OrganizationName>
        <md:OrganizationDisplayName xml:lang="en-US">Engineerica Systems Inc.</md:OrganizationDisplayName>
        <md:OrganizationURL xml:lang="en-US">https://www.engineerica.com</md:OrganizationURL>
    </md:Organization>
    <md:ContactPerson contactType="technical">
        <md:GivenName>Engineerica Support</md:GivenName>
        <md:EmailAddress>accucampus@engineerica.com</md:EmailAddress>
    </md:ContactPerson>
    <md:ContactPerson contactType="support">
        <md:GivenName>Engineerica Support</md:GivenName>
        <md:EmailAddress>accucampus@engineerica.com</md:EmailAddress>
    </md:ContactPerson>
</md:EntityDescriptor>

1. Start by copying all the metadata from the code above into notepad, then replacing the blue highlighted information above with (1) your domain (instead of mycollege) as well as (2.) the key given to you by your account support rep (we are working on a button to be added in the future to provide this account key) you'll have generated your SAML Metadata file.  Then save the updated code above as an XML file to be loaded in your IdP.

2. Next, upload the XML file to your IdP authentication server.

3. Set the IdP up to send the email (that we use to identify them) in the NameID field under the Subject tag.

It's important to note that the NameID doesn't have an attribute, but the tag that's defined under the Subject node/tag in the XML does.

The SAML authentication request should appear in a numbered sequence with the code in the following image.
<saml:Subject>
     <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></saml:NameID>
     ...
</saml:Subject>

Configuring Active Directory Federation Services (ADFS)

To send the NameID in the Subject tag:
1. Go to AD FS Management and navigate to  Trust Relationships > Claims Provider Trusts , then right-click on the provider and select  Edit Claim Rules.


2. Click the  Add Rule  button, and add the "employee email" rule.

3. Send the LDAP attribute as a claim by creating a rule of type "Send LDAP Attributes as Claims."  Set the desired attribute to authenticate from the AD. For example, the Employee Email.

4. Finally, transform the NameID to the Subject as a second rule.

For more information watch the following video.

Step-by-Step

SAML Single Sign-On Setup in AccuCampus

  1. To set up SAML SSO please go to your Advanced Options->Settings->Account Settings > Single Sign-On page.

  2. Scroll past the  Custom Single Sign-On section to navigate to the SAML Single Sign-On section.

  3. Read carefully over the items on this page and complete the required fields with the explanations given below.
    AccuCampus - SAML SSO Settings
    1. Enabled  - Simply check this option when you are ready to enable SAML Single Sign-On authentication in your account.

    2. Server URL  - This is a required field where you will  type in the Redirect URL given by your IDP's metadata.  Typically referred to as the "LoginURL" in your metadata XML file.

    3. Certificate  -  This is a required field that  is your Identity Provider's website certificate so AccuCampus knows that we are sending users to the correct "LoginURL".  Remember to copy and paste into this field all the information maintaining the "---BEGIN CERTIFICATE---" and "---END CERTIFICATE---" in the certificate information if using the PEM format.  The X509 Certificate will work here as well.

    4. Session expires when inactive  - This setting specifies whether the session expires after being idle for the time specified in the “session timeout setting”.
      Warning! A link will provide you access to configure this "session timeout setting" but be sure to save your information first before using it.

    5. Logout URL  - Users will be redirected to this URL when they log out of the AccuCampus.net website.   Typically referred to as the "LogoutURL" in your metadata XML file.

    6. Login Error URL  - Optionally provide users an "ErrorURL" where they will be redirected if they encounter an error at login. The error message will be sent in the query string using the parameter name defined below.
      NOTE: If no Error Parameter Name is defined in the next field then it will send them with the parameter of "Error".  Here's an example:
      https://www.mycollege.edu/sso-error-page-setup-in-the-IDP? Error ="User Not Found matching username: linda.walls@mycollege.edu"

    7. Error Parameter Name  - Also optional, t his works with the one above it and is used if you want to specify a custom parameter name used to send the error message in the query string. As stated above the default parameter is sent using "Error" if not defined.

  4. When you have updated your SAML SSO information p lease click the SAVE button to save the configuration. Or use the  CANCEL button  to cancel and not save the settings which will revert back to the previous settings used before entering information in this section.

For any further questions regarding this feature, please contact the support team at  accucampus@engineerica.com or Submit a Ticket .


    • Related Articles

    • Accudemia: How do I enable SAML SSO (Single Sign-On) for my account?

      For the Updated Version of Accudemia 7.0 Click the link below: https://desk.zoho.com/portal/engineerica/kb/articles/accudemia-7-0-how-do-i-enable-saml-sso-single-sign-on-for-my-account This new feature to authenticate users using the SAML protocols ...
    • Accudemia: How do I bypass SSO to log in directly?

      Introduction Accudemia can be set up to utilize a Single-Sign-On (SSO) system using Security Authentication Markup Language (SAML). This is a tool that allows users to only require one set of login information across an entire system. SSO will ...
    • Accudemia: How do I enable SAML SSO (Single Sign-On) for my account?

      Introduction This feature authenticates users using the SAML protocols for SSO. It simplifies password management, increases security, and allows students to log into Accudemia from a unique college portal, rather than a separate webpage/URL. This ...
    • How do I set up a sign-in station for an event in AccuCampus?

      1. From the Main Sidebar, hover Center Visits. 2. Select Sign-In Stations. 3. Select Create New. 4. Enter a Station Name.This is used to identify the sign-in station in the list of stations in AccuCampus. We recommend that this be specific and ...
    • Permissions Table for AccuCampus

      Permissions Table API Name Name Description General This category gives users the ability to import and/or export data into AccuCampus. Generally, only account administrators. These settings are global settings and are not governed by scope. ...