i-ready Support for Single Sign-On (SSO)

Similar documents
Security Assertion Markup Language (SAML) applied to AppGate XDP

Single Sign-On (SSO) Using SAML

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

Kaltura MediaSpace SAML Integration Guide. Version: 5.0

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

Directories Services and Single Sign-On for Collaboration

Implement SAML 2.0 SSO in WLS using IDM Federation Services

Advanced Configuration for SAML Authentication

Oracle Utilities Opower Solution Extension Partner SSO

ADP Federated Single Sign On. Integration Guide

Configure ISE 2.3 Guest Portal with OKTA SAML SSO

Morningstar ByAllAccounts SAML Connectivity Guide

SAML-Based SSO Solution

Leave Policy. SAML Support for PPO

Single Sign-On Implementation Guide

SAML-Based SSO Solution

ComponentSpace SAML v2.0 Okta Integration Guide

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

All about SAML End-to-end Tableau and OKTA integration

Identity Provider for SAP Single Sign-On and SAP Identity Management

April Understanding Federated Single Sign-On (SSO) Process

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

Integration of the platform. Technical specifications

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Single Sign-On (SSO)Technical Specification

This section includes troubleshooting topics about single sign-on (SSO) issues.

Table of Contents. Single Sign On 1

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Configuration Guide - Single-Sign On for OneDesk

D9.2.2 AD FS via SAML2

RSA SecurID Access SAML Configuration for Datadog

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

Introducing Shibboleth. Sebastian Rieger

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

RSA SecurID Access SAML Configuration for Kanban Tool

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Suomi.fi e-identification Technical interface description

Generic Structure of the Treatment Relationship Assertion

Connect Authenticate

Single Sign-On Implementation Guide

RSA SecurID Access SAML Configuration for Samanage

Version 7.x. Quick-Start Guide

Qualys SAML & Microsoft Active Directory Federation Services Integration

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

ArcGIS Server and Portal for ArcGIS An Introduction to Security

RSA SecurID Access SAML Configuration for StatusPage

Quick Start Guide for SAML SSO Access

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

WebEx Connector. Version 2.0. User Guide

SecureAuth IdP Realm Guide

4.2. Authenticating to REST Services. Q u i c k R e f e r e n c e G u i d e. 1. IdentityX 4.2 Updates

OIO Bootstrap Token Profile

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

SAML 2.0 SSO Extension for Dynamically Choosing Attribute Values

Quick Start Guide for SAML SSO Access

CA SiteMinder Federation

Protecting SugarCRM with SafeNet Authentication Manager

Quick Connection Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

CLI users are not listed on the Cisco Prime Collaboration User Management page.

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

NETOP PORTAL ADFS & AZURE AD INTEGRATION

Integration Documentation. Automated User Provisioning Common Logon, Single Sign On or Federated Identity Local File Repository Space Pinger

Assurance Enhancements for the Shibboleth Identity Provider 19 April 2013

TECHNICAL GUIDE SSO SAML Azure AD

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

CA CloudMinder. SSO Partnership Federation Guide 1.51

CA SiteMinder Federation

MyWorkDrive SAML v2.0 Okta Integration Guide

penelope case management software AUTHENTICATION GUIDE v4.4 and higher

Session 2.1: Federations: Foundation. Scott Koranda Support provided by the National Institute of Allergy and Infectious Diseases

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

How to Configure Fiori Launchpad and Web Dispatcher to Support SAML2 Using SAP Identity Provider Step-by-Step

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

MyWorkDrive SAML v2.0 Azure AD Integration Guide

Introduction to application management

SAML-Based SSO Configuration

FAS SAML Integration Guide

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Network Security. Chapter 10. XML and Web Services. Part II: II: Securing Web Services Part III: Identity Federation

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Integrating YuJa Active Learning into ADFS via SAML

Enabling Single Sign-On Using Okta in Axon Data Governance 5.4

Integration Guide. SafeNet Authentication Service. Protecting Syncplicity with SAS

CA CloudMinder. SSO Partnership Federation Guide 1.53

Enabling Single Sign-On Using Microsoft Azure Active Directory in Axon Data Governance 5.2

Add OKTA as an Identity Provider in EAA

AAI Login Demo. SWITCHaai Introduction Course Bern, 1. March Daniel Lutz

Test Plan for Kantara Initiative Test Event Test Criteria SAML 2.0

Box Connector. Version 2.0. User Guide

IBM Exam C IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ]

Integration Guide. SafeNet Authentication Service. Protecting SugarCRM with SAS

Enterprise Access Gateway Management for Exostar s IAM Platform June 2018

Transcription:

i-ready Support for Single Sign-On (SSO) Contents Benefits... 2 Supported Security Protocols... 2 How It Works... 2 SAML Workflow... 3 Clever Workflow... 4 Implementation Details... 5 Basic Assumption... 5 i-ready SSO Feature Options... 5 Clever Instant Login... 5 SAML... 5 Logout Link (optional)... 5 The SAML Assertion: Data Requirements... 6 NameID... 6 Required Attributes... 6 SSO Implementation Details... 8 SAML Implementation Process... 8 Implementation Questionnaire... 8

Benefits Fast, Secure Account Creation and User Authentication i-ready s Single Sign-On (SSO) feature enables administrators to control access to i-ready without the hassle of managing and maintaining a separate user account. For students and teachers, it provides streamlined access to i-ready without having to log in separately. Enhanced Security With Software-as-a-Service (SaaS) applications, maintaining control over logins can be challenging. i- Ready s SSO feature supports the most common security protocols used by identity providers. Reduced Help Desk Costs One of the most prevalent IT Help Desk incident types is users forgetting their password or having login difficulties. By enabling users to log in to i-ready (and other applications) through a single sign-on process, these requests are dramatically reduced. Supported Security Protocols i-ready supports the SAML 2.0 protocol. This provides optimum control over logins and permissions through its support of the most common security protocols used by identity providers. Almost all SSO implementations utilize SAML (Security Assertion Markup Language), an XML standard for exchanging authentication data between an identity provider (i.e., an SSO partner that vouches for the identity of a user) and a service provider (i.e., an SSO partner that provides services to an end user, such as i-ready). i-ready also has a partnership with Clever. This means if a school/district is using clever for data synchronization, sign-in can be simplified utilizing Clever s Instant Logon service. Clever is a registered trademark of Clever, Inc. How It Works When the user invokes i-ready with SSO enabled, i-ready generates a SAML request to the trusted identity provider (IDP). The user s identity, expressed as a SAML assertion or token, is transmitted back to i-ready. The SAML token is highly encrypted and signed with a security certificate, allowing i- Ready to decrypt the token s validity and authenticity. Using the information in the SAML token, i-ready grants access to the user. i-ready does not support service provider-initiated SSO. This means the user MUST sign in via their identity provider portal to log in to i-ready. Users are currently unable to access their IDP from i-ready s Login page. 2

SAML Workflow Per Figure 1 below, a typical SAML SSO request has the following flow: 1. The user logs on and authenticates with his or her network and applicable portal (ex. Classlink, Stoneware, etc.) 2. The user clicks a link to log in to i-ready from within their Identity Provider. 3. The IDP authenticates the user. 4. The IDP creates an encrypted SAML assertion or token. 5. The token is sent to i-ready s SSO Services. 6. The SSO Service makes a request to i-ready to authenticate the user. 7. i-ready responds with an AuthCode for the user. 8. If the attributes are correct, i-ready s SSO Service responds with the correct AuthCode. 9. The user can now use i-ready. Classlink is a trademark of Classlink, Inc. Stoneware is a trademark of Lenovo (Singapore) Pte. Ltd. Figure 1 3

Clever Workflow Per Figure 2 below, a typical Clever SSO request has the following flow: 1. The user logs in to the Clever Portal. 2. The user clicks a link to log in to i-ready from within their authentication portal. 3. Clever sends an access request to i-ready. 4. i-ready recognizes the account as a Clever account and responds with an Access Token Request. 5. Clever responds with the Receive Token. 6. i-ready requests the user information for login. 7. Clever responds with the user information and the user is now ready to log in. Figure 2 4

Implementation Details This section acts as an adjunct to the i-ready SSO Survey. The Survey acts as a preliminary review of a school s/district s SSO capabilities and helps i-ready evaluate the compatibility of SSO environments. Once the customer environment is determined compatible, this document should be reviewed to understand i-ready s SSO terminology and implementation options, the details of data exchange using the SAML assertion, and techniques for creating i-ready user accounts that are recognized by SSO. Basic Assumption The SSO operation ensures a highly secure authentication procedure. For SSO to operate properly, before accessing the i-ready site, the user must be logged into the customer s Identity Provider (IDP). i- Ready will communicate with the IDP to authenticate the requests made by the user. Users must be created in i-ready through our automated provisioning process. Users not created that attempt to authenticate will receive an error. Once SSO is enabled within i-ready, users will no longer be able to log in directly to i-ready with a username or password. It is imperative that administrators communicate with users to ensure a smooth transition process. i-ready SSO Feature Options There are two SSO options that must be considered. These options are specific to each environment and are meant to provide flexibility to accommodate the educator s User Experience requirement. Depending on the option chosen, a Logout link can be added to provide a smooth logout experience. Clever Instant Login This option determines if Clever will be used as the SSO IDP. Set-up is very simple as i-ready has a partnership trust with Clever allowing quick and easy set-up with little educator interaction. SAML This option is for all other implementations that use an IDP other than Clever for SSO. The IDP must be compatible with SAML2.0 and able to meet the metadata requirements below. Logout Link (optional) For a user who has accessed i-ready through SSO, should i-ready provide a Logout Link? If Yes, the school/district provides a URL where the user should be redirected. 5

The SAML Assertion: Data Requirements As stated above, the SAML assertion is expected to contain two sets of data: NameID A unique and persistent user identifier: This is the primary means for identifying users with i-ready. This is sometimes an SIS ID, State Student ID or other persistent unique identifier. This should be contained within the first element of the SAML Subject (NameID). NameID Format: This identifies the NameID format to be one of two options: transient or unspecified. Transient: This is meant to obfuscate the real user identity, so it s not possible to link user activities across different relying parties and is only valid for a single login session. Unspecified: This also obfuscates the real user identity and is meant to leave the implementation of the NameID format up to the identity provider. See the highlighted areas in the example below: <saml:subject> <saml:nameid Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="wy-zmens17614" SPNameQualifier="i- Ready">UNIQUE_IDENTIFIER</saml:NameID> <saml:subjectconfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:subjectconfirmationdata NotOnOrAfter="2015-08-14T17:22:34Z" Recipient="https://sso.i-Ready.com:443/auth/Consumer/metaAlias/sp" /> </saml:subjectconfirmation> </saml:subject> Required Attributes Role (optional): The educator can inform i-ready if the user is a teacher or student. This will be used to ensure that the chance of any duplicate IDs between roles (student having the same ID as a teacher) is mitigated. AccountID (required): The AccountID (provided by i-ready) determines the account in i-ready where users are located. State (optional): Used to specify the U.S. state for login. This field is optional. See the highlighted areas in the example below: <saml:attributestatement> <saml:attribute Name="accountId"> 6

<saml:attributevalue xmlns:xs="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:type="xs:string">wyzmens17614</saml:attributevalue> </saml:attribute> <saml:attribute Name="role"> <saml:attributevalue xmlns:xs="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:type="xs:string">student</saml:attributevalue> </saml:attribute> <saml:attribute Name="state"> <saml:attributevalue xmlns:xs="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:type="xs:string">wy</saml:attributevalue> </saml:attribute> </saml:attributestatement> 7

SSO Implementation Details SAML Implementation Process The steps below describe the end-to-end process of requesting, testing, and configuring SSO. 1. Request for SSO Setup is made and Support Case is created. 2. Initial call is scheduled. a. Discuss what to use for SSO (SAML/Clever). b. Is the Automated Provisioning method known (for new districts)? c. Discuss attributes necessary for SAML SSO (AccountID, role, etc.) 3. SSO testing environment metadata is sent to educator (and can be downloaded here). 4. Educator sets up a test SSO application in their Identity Provider/Portal. 5. Educator sends application metadata to i-ready. 4. Educator metadata imported to the SSO testing environment. 6. SSO testing environment is configured for SSO. 7. Testing is performed. a. Ensure SAML assertion contains proper attributes. b. Ensure users can log in via SSO. c. Login experience is verified. 8. Once testing is complete, production metadata is sent to educator. 9. Educator re-imports production metadata. 10. i-ready imports the educator s metadata to production environment. 10. SSO is enabled in production on the go-live date. Implementation Questionnaire The following questionnaire serves as the basis for pre-implementation discussions between your district leadership, IT organization and i-ready. Several of the checklist items require all parties be present on the discussion because business decisions may influence the technical implementation (and vice versa). Your Identity Provider must support SAML 2.0 to properly implement SSO with i-ready. What Identity Provider will be used to implement SSO? Describe the SSO user experience desired (e.g., user logs into district portal; clicks the i-ready link, etc.) Please provide the metadata for the SAML Application. (Can be sent separately) Please review the SAML Assertion data requirements above (pages 6 7). Indicate that 8

these items will be provided as specified. Please indicate any discrepancies (in detail). Please tell us your desired go-live date: Please enter the Logout URL to which i-ready should redirect users upon logging out: 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback