SAML/SSO

Overview

Are you sure you want to remove this component?

Setting up SAML authentication will allow you to achieve single sign on (SSO) for your users across the web. Your identity provider (iDP) will provide the authentication services for Schoolbox. Once your users are authenticated against the identity provider, they may proceed to Schoolbox and any other service providers that are registered.

The examples below use ADFS (Active Directory Federation Services) as the iDP, though the same process works well with many other iDP's such as SimpleSAML, StudentNet.

On this page, you will find the following information:

Identity Provider

Schoolbox SAML

Single Logout (SLO)

ADFS

Kerberos/WIA with SAML

Bypass SAML in Schoolbox

WebDav with SAML enabled

Google SAML

Azure SAML

NOTE: As the setup of SAML and SSO requires configuration to a specific URL, settings cannot be copied between your production and staging instance. It also means that each instance will require individual configuration if you wish to setup or test this method of logging in.

Identity Provider

Are you sure you want to remove this component?

Important Steps

  • Ensure ADFS is configured and HTTPS/SSL is enabled
  • Ensure ADFS is available both internally and externally on the exact same URL
  • Choose to either use the Identity Provider Metadata URL (if available) OR export the Token Signing Certificate manually.

Token Signing Certificate Export Steps (ADFS Example):

1. Browse to the certificates and export the Token-Signing certificate

2. Right-click the certificate and select 'View Certificate'.

3. Select the Details tab.

4. Click Copy to File -> The Certificate Export Wizard launches.

5. Select 'Next'.

6. Ensure No, do not export the private key is selected, and then click 'Next'. 

7. Select DER encoded binary X.509 (.cer), and then click 'Next'.

8. Select where you want to save the file and give it a name. Click 'Next'.

9. Select 'Finish'.

NOTE: Schoolbox requires that this certificate be in PEM format. You can convert this certificate using client tools or even online tools such as: SSL Shopper.

10. Use the DER/Binary certificate we just created and export it to Standard PEM format.

Schoolbox (SAML)

Are you sure you want to remove this component?

Important Steps

  • Ensure Schoolbox is available both internally and externally on the exact same URL
  • Configure the SAML Identity Provider information as below.

1. Navigate to Admin > Settings- > SAML

2. . Set the "Single Sign-On URL" for your identity provider - For example: https://samlserver.school.edu/adfs/ls

image.php?hash=f5070a33d2f7af93d7b6297c0004a015f23f8544

3. Set the "Single Sign-On Identity Provider Metadata URL". This allows Schoolbox to automatically determine the Token Signing Certificates and capabilities of your Identity Provider. For example: https://samlserver.school.edu/FederationMetadata/2007-06/FederationMetadata.xml

image.php?hash=270c0a170c150e985aadb2bdf306cfaff1139f3c

Alternatively, copy the manually exported contents of the PEM format token signing certificate from earlier into "Single Sign-On IDP certificate"

image.php?hash=b84bd5b49cbabd4e650efa0d6e374b5089cc3b28

4. Select 'Save'.

 

Checking the Identity Provider Metadata:

1. Add the URL into "Single Sign-On Identity Provider Metadata URL" as above.

2. Navigate to: https://schoolbox.school.edu/saml/checkidpmetadata.php

3. This should output a list of certificates and their date validity.

Single Logout (SLO)

Are you sure you want to remove this component?

1. Check that your Identity Provider (E.g.: ADFS) has performed a metadata update to ensure it accepts the Schoolbox signing keys.

2. Navigate to Admin > Settings > SAML

3. Enable Single Logout

4. If not using the "Single Sign-On Identity Provider Metadata URL" option, set the "Single Logout URL Endpoint"

    E.g.: https://samlserver.school.edu/adfs/ls/

5. Select 'Save'.

ADFS

Are you sure you want to remove this component?

1. Open the ADFS 2.0 (or 3.0) Management console and select Relying Party Trusts.
2. Select add Relaying party Trust… from the top right corner of the window. -> The add wizard appears
3. Click 'Start'.
4. Select "Import data about the relying part published online or on a network".

image.php?size=maxsize&hash=57011585cd23a3f5d0fa34c7a588f1bc094ec91a

5. Fill in the '' - E.g. https://schoolbox.mydomain.edu.au/saml/metadata.php
6. Click 'Next'.
7. Give it a display name such as 'Schoolbox' and enter any notes you want.
8. Click 'Next'.
9. Permit all users to access this relying party
10. Click 'Next'.
11. Click 'Next'.
12. Click OK -> the Edit Claims Rules window appears.
13. Click 'Add Rule'.

image.php?size=maxsize&hash=4ce92d3f729036c16de4e70ce3563f88e9cab74e

14. Set 'Claim rule template' to 'Send LDAP Attributes as Claims'.

image.php?size=maxsize&hash=29c6c5a237a7adb3e5aac66f7a186e26571a4987

15. Click 'Next'.

16. Set a claim rule name - E.g: "Idap-claims".

image.php?size=maxsize&hash=aea8ea8d3b7a4ce7b579ae7e44a30761d4a0d358

17 . Set attribute store to 'Active Directory'.
18. Add the following 2 attributes mappings

  • SAM-Account-Name -> Name ID
  • SAM-Account-Name -> Windows account name

19. Click 'Finish'.

20. Click 'Ok'.

Web Form based Authentication with ADFS 3.0

ADFS 3.0 disables by default Forms based authentication for Intranet users. This can cause Schoolbox errors mentioning "Multiple Assertions are not supported".

This can be enabled in ADFS 3.0 by following the instructions below, mostly sourced from https://blogs.msdn.microsoft.com/josrod/2014/10/15/enabled-forms-based-authentication-in-adfs-3-0/.

  1. Open the ADFS 3.0 Management console (snap-in)
  2. Click Authentication Policies from the left hand tree navigation
  3. In the Authentication Policies section on the right panel, choose Edit Global Primary Authentication
  4. Under the Intranet section, check the Forms Authentication option.
  5. Click OK to save the changes

Chrome with ADFS 3.0 and Windows Authentication

To support Chrome with kerberos/WIA (auto sign on from a domain machine) you will need to add a Chrome user agent to ADFS 3.0's list of supported user agents for WIA (if you've not already done this).

 

You can check your current list of user agents in powershell with:


Get-AdfsProperties | select -ExpandProperty WIASupportedUserAgents


Defaults in ADFS 3.0:

  • MSAuthHost/1.0/In-Domain
  • MSIE 6.0
  • MSIE 7.0 
  • MSIE 8.0
  • MSIE 9.0
  • MSIE 10.0
  • Trident/7.0
  • MSIPC
  • Windows Rights Management Client

To add WIA support for Chrome, Safari and Firefox you can add the agent "Mozilla/5.0".

You can set the list like below (which adds "Mozilla/5.0" to the list):

 

Set-ADFSProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain", “MSIE 6.0", “MSIE 7.0", “MSIE 8.0", “MSIE 9.0", “MSIE 10.0", “Trident/7.0", “MSIPC”, “Windows Rights Management Client”, “Mozilla/5.0")

 

You will also need to disable ExtendedProtectionToken checking to make Chrome work with WIA. Here is the powershell command to disable it:​​​​​​​


Set-ADFSProperties –ExtendedProtectionTokenCheck None​​​​​​​​​​​​​​


Timing Issues

If NTP is already set up for time sync and you are still getting timing errors with SAML, we suggest adding extra skew times for the SAML requests for Schoolbox.

This can be set in ADFS using the following command:​​​​​​​


Add-PSSnapin microsoft.adfs.powershell

Set-ADFSRelyingPartyTrust -TargetName "MyRelyingParty" -NotBeforeSkew 2​​​​​​​



The "MyRelyingParty" is the name of the setup for your production or staging Schoolbox in ADFS.
The "2" is the number of minutes of skew you wish to allow.

 

Cannot connect to metadata URL (Relaying party trust)

Since the upgrade to Ubuntu 18.04 we have deprecated the use of TLS1.1.  ADFS servers that have TLS1.2 disabled will not be able to connect to our server to get the metadata when attempting to setup the trust.  To enable TLS1.2 on your ADFS server please review the guides available from Microsoft.

Federation medata address test failure

The test ADFS conducts is conducted by .Net Earlier versions of .Net are not compatible with newer versions of TLS. Please ensure .Net on your server is updated to the current available version as per guides from Microsoft

Kerberos/WIA with SAML

Are you sure you want to remove this component?

Some identity providers, including ADFS can support Kerberos/WIA (Windows Authentication/WIA) at the iDP. There are two options to enable this:

  1. Control from the iDP (ADFS etc.) which clients should use Kerberos/WIA
  2. Control from Schoolbox which clients should use Kerberos/WIA

To allow the iDP to control the authentication type (Option 1), you will need to set Schoolbox to send requests for web form or better authentication. The configuration at Administration -> System Settings- > SAML -> Single Sign-On Authentication Type Comparison (/adminv2/setting/SAML#saml_auth_comparison) will need to be changed from 'exact' to 'minimum'. You should also set the Requested Auth Context to "Unspecified"

For Option 2, Schoolbox is required to send the instruction to the client to use Kerberos/WIA to authenticate, instead of a web form, once it gets to the iDP.

As there are many devices that do not support Kerberos, and the Kerberos fallback is a basic authentication popup, we need to specify a limited set of clients that can use Kerberos.

You can do this by adding individual IP addresses (E.g. 192.168.1.115) or CIDR ranges (E.g. 192.168.1.0/24) to the 'Single Sign-On Kerberos Whitelist' option under Admin->Settings->Security in a comma separated list. The addresses listed here will be forced to use Kerberos as the authentication method.

image.php?size=maxsize&hash=c73fd792247126e9c496fd83fb371a3ac717d72f

As not all devices on the networks you specify in the whitelist may have kerberos support, we have limited kerberos use by default to the following platforms and browsers.

  • Internet Explorer / Edge on Desktop/Laptops/Tablets

Google Chrome also supports kerberos authentication out of the box. If your iDP also supports Chrome for kerberos/WIA, this can be enabled from Schoolbox under Admin->Settings->Security:

  • Single Sign-On Kerberos Chrome

Both Safari and Firefox (on Desktop/Laptop only) can support kerberos if configured correctly. If these are known to be configured correctly on your network you can optionally enable those browsers using the following options also under Admin->Settings->Security:

  • Single Sign-On Kerberos Firefox
  • Single Sign-On Kerberos Safari

All mobile devices will be forced to use the iDP's web form for authentication.

Bypass SAML in Schoolbox

Are you sure you want to remove this component?

WebDav with SAML enabled

Are you sure you want to remove this component?

To allow the WebDav access to the Schoolbox filesystem to still work with SAML enabled, navigate to Admin > Settings > Resources, and change 'WebDAV authentication type' from 'digest' to 'basic'.

Google SAML

Are you sure you want to remove this component?

As of Schoolbox v16.5.20 onwards, you are now able to use Google SAML as your identity provider.

Set up in Google:

1. Follow the "Set up your own SAML app" instructions here: https://support.google.com/a/answer/6087519?hl=en

2. Download the Certificate when given the option, and copy the provided values

image.php?hash=852c29e3c239dac5073bfb1bdb45963e2a14adce

3. Upload your Schoolbox Logo and set the "Application Name" to the name of your Schoolbox. E.g. Evi, iLearn, Schoolbox etc.

image.php?hash=f59897881137882cbb9ff1a8e18b60389bdab248

4. Set the Schoolbox SAML configuration in Google.

image.php?hash=ae4f520c287947561e63abfc35150b8af131fe3c

5. Ignore any additional mappings.

6. End result in Google should look like this:

image.php?hash=40ef4f27a04a6fa7d66414cd84f78adfdfc1042c

7. In Schoolbox, under Admin > Settings > Security, set the "Single Sign On URL" to match "SSO URL" provided by Google

8. Set "Single Sign-On IDP certificate" to the content of the certificate you downloaded in (2).

9. Set "IDP Entity ID" to the Google IdP Entity ID in step 2

10. Set "Enable Single Sign-On"

11. Click "Save"

12. Single Sign On with Google SAML is now enabled

Azure SAML

Are you sure you want to remove this component?

1. Authenticate into Azure: https://portal.azure.com#home

2. Open menu:

image.php?hash=30736c133a8e0df575c8b486b35433f51d6e7421

3. Navigate to Azure Active Directory

4. Click Enterprise Applications

image.php?hash=dede3b192f2ff77bbbccca8b72252d1cc77e374d

5. Click new application

image.php?hash=e800fc3d37d57827504fc03006bc40d90badf591

6. Click create your own application.

image.php?hash=0ba653ff9a3dc6a893bd7e6047eae4183d83b20c

7. Name your application and choose integrate any other application you don't find in the gallery. Click Create.

image.php?hash=b96fe59b852d452682c04f9515e40016a5ff54d6

8. Once the application has been created, you will get to the application screen.

image.php?hash=6aae71c8d11f739bd7d1e0b758135e0e1060a7c7

9. Click Single sign-on.

image.php?hash=20f18bf69b344b37c3d919bff93c5afa9ab3eb96

10. Click SAML.

image.php?hash=3a2e766a6d1d156c33d4b40f00187c662876d759

11. Edit Basic SAML configuration adding the following:

Both the Identifier (Entity ID) and Reply URL should contain the following, substituting in your School's domain to the following URL: https://yourschool.org/saml/consume.php

image.php?hash=5134059c6fdf34feab76952e76bf81bba73ba1eb

image.php?hash=cc9628612d0f26d97d671073e230f73d6ff2f45f

12. Generate a SAML signing certificate

image.php?hash=cbdf110bb6916c08ae300496733f1359faccc9c1

13. Copy the App Federation Metadata URL

image.php?hash=cbf7ca20e458b44d9a9cc2d244230faa0f6b3895

14. Paste into Schoolbox (Administration -> Settings -> SAML)
image.php?hash=bf4a89a3dde68bb9d882799adebe86cf324cfed8

15. Click Save in Schoolbox. 

NOTE: You will still need to add appropriate users and groups to the application prior to using authentication. This can be done by clicking on Users and Groups in Azure Application as shown below.

image.php?hash=bbbcd39d2000954f5de7f5b6bb7d953601269467

16. Log in Schoolbox as a Superuser.

17. Go to Administration > Settings > SAML.

18. You will need the metadata url or the following: SSO URL, Certificate, Entity ID.

If you wish for your staff to directly login to Schoolbox by clicking on a link in Sharepoint, here are the steps to follow.

Pre-requisites: 

  • You need to have a functioning Sharepoint and need to have created a Sharepoint site (page). You can use Mosaic Live Tiles for a layout with buttons.
  • You need to have successfully set up Azure SAML https://help.schoolbox.com.au/homepage/494#component408237 before adding a link on Sharepoint.

On your dedicated page (it can be a staff homepage) in Sharepoint, add a hyperlink to your Schoolbox instance. The steps can be found here https://support.microsoft.com/en-us/office/add-accessible-content-and-links-to-a-sharepoint-online-site-dc34fac7-32d7-4dcf-b694-2cc6115ac8b9#__toc378173833. The URL you will be entering in Sharepoint should be something like that https://ABCD.schoolbox/saml/index.php?page=%2Flogin%2F.

image.php?hash=41b71da007f6e605571e606df331d4d3e21d5eae

In the Insert Hyperlink window, fill in the required fields:

  • Text to display: the name of your Schoolbox instance, eg. Schoolbox, Connex, The Hub
  • Address:  Option 1 - If the “SSO only” toggle is off, this should be the SSO URL which you will find on your login page once Azure SAML is configured (see below example). Just hover over the “Login using Single Sign-On”, right click and select “copy link address”. Paste the URL in the Address field as pictured above. Option 2 - If the “SSO only” toggle is on, you should only need to input the URL of your Schoolbox instance homepage.

image.php?hash=47b46fd9e3e45de0bfe9f27fa410e7697d54417f