Are you sure you want to remove this component?
Schools will need to configure a variety of settings for Authentication within Schoolbox. The information on this page is divided into the three available Authentication methods. If you use a Cloud instance, you have the option of using one of two available methods. If you are an Self-Hosted instance, you have the option of using one of three available methods.
This page will define each individual setting and how to populate each setting within your school's instance.
Are you sure you want to remove this component?
Setting up SAML authentication will allow you to achieve single sign on (SSO) for your users across the web. Your identity provider (iDP) will provide the authentication services for Schoolbox. Once your users are authenticated against the identity provider, they may proceed to Schoolbox and any other service providers that are registered.
NOTE: As the setup of SAML and SSO requires configuration to a specific URL, settings cannot be copied between your production and staging instance. It also means that each instance will require individual configuration if you wish to setup or test this method of logging in. SAML settings are not replaced during a Production to Staging sync for this reason.
1. Navigate to Administration > System Settings > SAML.
2. Enter the 'Single Sign-On URL'.
This is where Schoolbox will send Single Sign-On (SSO) requests.
For example:
Azure: login.microsoftonline.com/{set of numbers and letters}/saml2
Google: accounts.google.com/o/saml2/idp?idpid={your IDP ID}
CloudWork: {yourschool}-login.cloudworkengine.net/saml2/idp/SSOService.php
3. Enter the details for one of the options below.
Option 1
'Single Sign-On Identity Provider Metadata URL'.
This URL is where the metadata for your Single Sign-On Identity provider is located.
Option 2
1. Enter the 'Single Sign-On IDP Certificate'.
This is only required if your metadata URL does not inherently provide the certificate information or you require a different certificate than what is provided in the metadata URL. In circumstances where both are populated, the manually entered certificate will override the content of the metadata URL.
2. Enter the 'IDP Entity ID'.
This is the unique identifier for the Identity Provider.
3. Enter the 'Schoolbox Entity ID'.
This is the unique identifier for Schoolbox to use as its Entity ID.
NOTE: If this is not set, the URL for your instance will be used.
4. In Title for Single Sign-On, enter the text you want to display to the users. By default, it displays the text Login with Single Sign-On.
5. In Icon for Single Sign-On, you can attach an icon to display at the left of the Single Sign-On title.
6. Next, select the color for the Single Sign-On login button.
7. When done, select Save.
Further Configurable Options
If applicable, toggle and enter the relevant selection for kerberos.
This is only needed if using kerberos authentication with SAML.
'Enable Single Logout'
If toggled to ON, the logout performed in Schoolbox will be sent to the IDP to log the user out of all other services registered with that IDP.
'Single Sign-On Logout URL'
This is the URL that users will be redirected to upon logging out.
For example: yourschool.schoolbox.com.au
'Single Logout URL Endpoint'.
If your idP metadata is not provided or does not contain an SLO endpoint, configure here where SLO requests should go.
NOTE: This is optional for all schools, but should be configured if your IDP metadata is not provided or it does not contain a SLO endpoint.
'Login with Single Sign-On only'
If toggled to ON, users who visit the login screen will be redirected to the IDP for Single Sign-On via SAML.
Administration > System Settings > Security and 'Allow users to login with email address'
If toggled to ON, users will be able to log in using either their username or email address.
Are you sure you want to remove this component?
1. Navigate to Administration > System Settings > oAuth Provider Configuration.
2. Enter the 'oAuth Identity Provider URL'.
This URL is where authentication requests are sent to and is the URL of your identity provider.
For Example:
Cloudwork: "https://yourschool-id.cloudworkengine.net/".
3. Enter the 'oAuth Client ID' and 'oAuth Client Secret'.
This is the Client ID and Secret required for authentication against the oAuth provider.
4. Enter the 'oAuth Identifying Claims'.
This is a comma-separated list of claims within the JWT provided by the identity provider which may identify a user. One of these claim's values must match the username of a Schoolbox user.
NOTE: Common values are "preferred_username", "upn" and "unique_name".
5. In Enable Single Sign-On via oAuth Identity Provider, you can toggle to ON to configure via the oAuth Identity Provider.
6. In Title for OpenID Connect, enter the text you want to display to the users. By default, it displays the text Login with OpenID Connect.
7. In Icon for OpenID Connect, you can attach an icon to display at the left of the OpenID Connect title.
8. Next, select the color for the OpenID Connect login button.
9. When done, select Save.
Further Configurable Options
Administration > System Settings > Security and 'Allow users to login with email address'
If toggled to ON, users will be able to log in using either their username or email address.
Are you sure you want to remove this component?
The LDAP Integration process enables passwords to be stored centrally in an existing user directory. When a user logs on, Schoolbox will first bind and search for the user in the LDAP tree. Upon finding the users CN the system will attempt to rebind to the LDAP server with the users CN and password. Currrently the user must exist in Schoolbox before they can login to the system, just adding the user into LDAP is not enough for the user to login to Schoolbox.
NOTE: The LDAP authentication is completed before the Schoolbox authentication. If a user exists in both LDAP and Schoolbox it will attempt the LDAP password first. If this fails, it will fallback to Schoolbox. If no password is stored in Schoolbox, the login will be denied. For this reason it is strongly recommended that there be at least one superuser that has a password stored locally on Schoolbox.
1. Navigate to Administration > System Settings > LDAP.
2. Toggle Enable LDAP Authentication to 'ON'.
3. Enter the 'LDAP Host'.
This is where Schoolbox will find your AD server, e.g. ‘server.yourschool.vic.edu.au’
4. Enter 'LDAP Username' and 'LDAP Password'.
These are the credentials used to authenticate against your LDAP server to authenticate users.
5. Enter the 'LDAP Search Base'.
This will be used to identify where within your LDAP server Schoolbox searches for users. This is the base search path for username lookup.
6. Enter 'LDAP Username Search Field'.
This field is compared against the Schoolbox username for authentication.
Further Configurable Options
'LDAP Search Filter'
This is a pre-filter to put onto LDAP login searches. For example, objectClass=User.
'LDAP Alternate Host', 'LDAP Alternate Username' and 'LDAP Alternate Search Base'.
These will act as the backup LDAP server details incase primary is inaccessible.
'LDAP Tertiary Host', 'LDAP Tertiary Username' and 'LDAP Tertiary Search Base'.
These will act as additional backup LDAP server details incase primary and secondary are both inaccessible.
'LDAP CA Certificate'.
This is optional for schools if they want to use a specific certificate. Please note, this requires manual upkeep by the school when the certificate expires, or when circumstances within a school's infrastructure change where it would invalidate the certificate.
Administration > System Settings > Security and 'Allow users to login with email address'
If toggled to ON, users will be able to log in using either their username or email address.