ARTICLE: SAML 2.0 Authentication Module and AD FS v3
Reach will allow authentication with SAML when the following items are provided:
- The SAML IdP landing page that authentication requests must be serviced by
- The Metadata file (with the security certificate embedded) for the IdP endpoint
Setting up SAML on AD FS v3
Using ADFS v3 as an authentication provider for Reach with SAML involves manually creating a
Relying Party for Reach, as per Microsoft's documentation
Follow these steps:
Open AD FS Management
Click Add Relying Party Trust
Pick Claims aware
Pick Enter data about the relying party manually
Assign a name and description of your choosing, e.g. "ReachRP"
No separate token encryption certificate, so click Next
Do not check Enable support for the WS-Federation Passive protocol, but do check Enable
support for the SAML 2.0 WebSSO protocol* The SSO service URL should be specified as your
ACS URL (see Assertion Consumption Service below)
Add the ACS URL, and portal URL (https:///) as identifiers
Configure as needed
Review as needed
Check Configure claims issuance policy for this application if it is not already
Configure the claims issuance policy to map either userPrincipalName
for the SAML assertions.
At this point, configuration on the AD FS side should be complete, reach out and inform us of the
FQDN for your AD FS; we'll usually have to append something along the lines of /adfs/ls/
/samlACS to it to use as
a "direct login
Supplying us with a sample user account will help us set up and test the integration.
Custom SAML Provider Setup
Module Setup Procedures
We will need to perform the following setup for authenticating against a SAML IdP:
- Your IT department will be provided with an Assertion Consumption Service (ACS) URL that is
unique to your school (see Assertion Consumption Service)
- Your IT department must then generate a Metadata file that includes our ACS URL and any other
certificate information that Reach will use to validate your assertion
- You will then define what identifier Reach should use when the SAML assertion is provided
(usually the Username or Email address of the authenticated user) via the NameID in the Subject
object (see Assertion Name ID Object)
- We will then ensure that all your user accounts are setup with the correct username or email
address as stated within your SAML assertion
Assertion Consumption Service
Each school will be given a special URL that needs to be mapped in your Metadata file correctly.
The format for each ACS URL is: https:///samlACS
Please ensure that your Reach Portal URL is a fully qualified domain name.
Assertion Name ID Object
Below is an example of the NameID object that we expect in return from your IdP. Without it,
Reach will not be able to look up a corresponding internal user account and will refuse access
to Reach immediately.
Custom Single Sign On
ARTICLE: How to configure Single-Sign-On with SAML within your Reach Portal
You can configure Single Sign On using SAML directly within your REACH portal at System Configuration > Authentication Single Sign In will appear on the login screen for REACH with access to use the your school's Single Sign In authentication to ...
ARTICLE - Medications Module
Medications Module Medication and students go hand-in-hand as a normal part of student life establishments. Reach created the Medications Module to facilitate this complex element and to provide an all-encompassing solution to your school's ...
ARTICLE: General System Configuration
General System Configurations Items in System Configuration > General, are the base settings of primary elements within REACH that apply across all modules. There are 33 actionable general settings that can be changed to suit preferences within your ...
ARTICLE: Student Mobile App User Guide
Student Mobile App User Guide The Reach Mobile App is designed for use as a transaction platform, it is free and is available for use by all students that have a user account on your Reach Portal. The Mobile App provides access to the major of ...
ARTICLE: System Configuration - General Settings
Items in the General Configuration relate to the primary settings that apply across all modules in Reach. School Name The school name is displayed in the top left-hand corner of REACH and is also used throughout all of your correspondence and ...