SAML2.0 Authentication Module and AD FS v3

ARTICLE: SAML 2.0 Authentication Module and AD FS v3


Reach will allow authentication with SAML when the following items are provided:
  1. The SAML IdP landing page that authentication requests must be serviced by
  2. The Metadata file (with the security certificate embedded) for the IdP endpoint

Setting up SAML on AD FS v3

Using ADFS v3 as an authentication provider for Reach with SAML involves manually creating a Relying Party for Reach, as per Microsoft's documentation.

Follow these steps:
  1. Open AD FS Management
  2. Click Add Relying Party Trust
  3. Pick Claims aware
  4. Pick Enter data about the relying party manually
  5. Assign a name and description of your choosing, e.g. "ReachRP"
  6. No separate token encryption certificate, so click Next
  7. Do not check Enable support for the WS-Federation Passive protocol, but do check Enable support for the SAML 2.0 WebSSO protocol* The SSO service URL should be specified as your ACS URL (see Assertion Consumption Service below)
  8. Add the ACS URL, and portal URL (https:///) as identifiers
  9. Configure as needed
  10. Review as needed
  11. Check Configure claims issuance policy for this application if it is not already
Configure the claims issuance policy to map either userPrincipalName or sAMAccountName to the NameID for the SAML assertions.

At this point, configuration on the AD FS side should be complete, reach out and inform us of the FQDN for your AD FS; we'll usually have to append something along the lines of /adfs/ls/ idpinitiatedsignon.aspx?logintoRP=https://
/samlACS to it to use as a "direct login" link.

Supplying us with a sample user account will help us set up and test the integration.

Custom SAML Provider Setup

Module Setup Procedures

  1. We will need to perform the following setup for authenticating against a SAML IdP:
  2. Your IT department will be provided with an Assertion Consumption Service (ACS) URL that is unique to your school (see Assertion Consumption Service)
  3. Your IT department must then generate a Metadata file that includes our ACS URL and any other certificate information that Reach will use to validate your assertion
  4. You will then define what identifier Reach should use when the SAML assertion is provided (usually the Username or Email address of the authenticated user) via the NameID in the Subject object (see Assertion Name ID Object)
  5. We will then ensure that all your user accounts are setup with the correct username or email address as stated within your SAML assertion

Assertion Consumption Service

Each school will be given a special URL that needs to be mapped in your Metadata file correctly. The format for each ACS URL is: https:///samlACS
Please ensure that your Reach Portal URL is a fully qualified domain name.

Assertion Name ID Object

Below is an example of the NameID object that we expect in return from your IdP.  Without it, Reach will not be able to look up a corresponding internal user account and will refuse access to Reach immediately.

Custom Single Sign On

To integrate with Cloudwork|Studentnet.ID, users need to add a Custom Service into StudentNet. Reference details at
    • Related Articles

    • ARTICLE: How to configure Single-Sign-On with SAML within your Reach Portal

      You can configure Single Sign On using SAML directly within your REACH portal at System Configuration > Authentication Single Sign In will appear on the login screen for REACH with access to use the your school's Single Sign In authentication to ...
    • ARTICLE - Medications Module

      Medications Module Medication and students go hand-in-hand as a normal part of student life establishments. Reach created the Medications Module to facilitate this complex element and to provide an all-encompassing solution to your school's ...
    • ARTICLE: General System Configuration

      General System Configurations Items in System Configuration > General, are the base settings of primary elements within REACH that apply across all modules.  There are 33 actionable general settings that can be changed to suit preferences within your ...
    • ARTICLE: Student Mobile App User Guide

      Student Mobile App User Guide The Reach Mobile App is designed for use as a transaction platform, it is free and is available for use by all students that have a user account on your Reach Portal.   The Mobile App provides access to the major of ...
    • ARTICLE: System Configuration - General Settings

      Items in the General Configuration relate to the primary settings that apply across all modules in Reach.  School Name The school name is displayed in the top left-hand corner of REACH and is also used throughout all of your correspondence and ...