Single Sign-On (SSO) - Setup Guide
SpacesEDU supports Single Sign On (SSO) integration to provide users a seamless login experience with existing Account Management System credentials.
Account Management System refers to the user authentication and authorization system that allows users to access school computers. An example of an Account Management System is Microsoft Active Directory (AD) or Azure Active Directory (AAD).
SSO Integration Overview
As an internet based application, SpacesEDU is to be considered a SP (Service Provider) in the context of SSO. It facilitates SSO by delegating user login to the Account Management System’s IdP (Identity Provider). The following are required for successful integration:
- The IdP must be publicly accessible on the Internet
- The IdP must authenticate the user with the Account Management System
- The IdP must support SAML 2.0, or WS-Federation
- A trust must be setup between IdP and SP through either exchange of metadata or secret keys/configurations
- The IdP must be configured to provide the claims outlined in Parameter Specifications
Parameter Specifications
| Parameter | Required | Info | ClaimType | 
| User ID | Required | Unique ID. Can be any unique string | http://schemas.xmlsoap.org/ws/2005//05/identity/claims/nameidentifier | 
| Required | District Email Address | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | |
| First Name | Optional | 
 | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | 
| Last Name | Optional | 
 | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | 
| Student ID | Optional | State/Provincial or SIS Student Number | |
| User Type | Optional(Required for staff account provisioning) | Teacher ORSecondary Teacher‘Guidance Counsellor’ OR ‘Guidance Counselor'‘Counsellor’ OR ‘Counselor’AdminPrincipalVice PrincipalAssistant Principal | |
| School ID | Optional(Required for staff account provisioning) | Unique School ID | |
| Grade | Optional (Recommended) | 0, 1, 2, etc. | |
| Salutation | Optional for Staff | Mr, Mrs, Miss, Ms, M, Mme, Mlle | 
- If your data does not conform to the exact format specified, speak to your SpacesEDU IT contact.
Known Working IdPs
- ADFS (Active Directory Federated Services) as IdP, authenticate with AD (Active Directory)
- Azure Active Directory as IdP, through SAML 2.0
- Google Workspace
ADFS/SAML 2.0 Integration Steps
SpacesEDU supports any IdP implementing SAML 2.0. To proceed with setting up SSO:
- Access myBlueprint’s security token service metadata to be used when setting up trust between your IdP and myBlueprint:
a . Canadian/International Schools: https://account.ca.myblueprint.org/saml2
b. US Schools: https://account.app.myblueprint.org/saml2
- Configure your IdP to send the required claims
- Send your myBlueprint IT contact your IdP Metadata
- Provide an SSO testing account (username/email and password)
We will review and complete testing to ensure the SSO works correctly. Depending on the parameters provided, and whether data has been imported using SIS Sync or CSV Setup, users may be required to enter additional information upon first login.
Azure AD Setup Guide
- Azure AD integration will require Azure AD Premium to support adding an unlisted application.
- Access your Azure Active Directory
- Click Add then select Enterprise application
- Click Create your own application
- Name it SpacesEDU and click Create
- Click Single Sign-on in the left-hand navigation menu
- Click SAML
- Click Upload metadata file and upload the file from the link below
a. Canadian/International School Districts: https://account.ca.myblueprint.org/saml2
b. US School Districts: https://account.app.myblueprint.org/saml2
- Click on the pencil icon to edit 'Step 2', User Attributes & Claims, and then configure your claims (refer to Parameter Specifications)
- Copy the App Federation Metadata URL and send it to your Spaces contact
- Enable access to the application to all of your staff and student roles in Azure
a. We recommend allowing access to all users ('Everyone') within your organization - school-specific levels of access will be controlled directly within the SpacesEDU application.
b. For more information about assigning users to applications, see this Microsoft support article.
c. Users not assigned to an application will receive this error message: "Error AADSTS50105 - The signed in user is not assigned to a role for the application".
d. To resolve the error noted above, simply ensure they are assigned to a role with access to the SpacesEDU SAML app. Note that nested groups cannot be used for this purpose - groups must be directly assigned to the application.
Google Workspace Setup Guide
- Navigate to your Google Workspace Admin page
- Go to Apps > Web and Mobile Apps
- Click Add App and then Add custom SAML app.
- Enter SpacesEDU as the name of your app and click Continue
- Download the IdP Metadata file, and send this to your SpacesEDU implementation contact

- Click Continue, then Set up the Service Provider details as follows.
- Canadian/International Schools:
ACS URL: https://account.ca.myblueprint.org/saml2/Acs
Entity ID: https://account.ca.myblueprint.org
- US Schools:
ACS URL: https://account.app.myblueprint.org/saml2/Acs
Entity ID: https://account.app.myblueprint.org
- The Name ID can be any value, as long as it is unique for all users. Unless you wish to use a different value for your name ID, you can leave it set as the default (primary email, format 'undefined').
- Click Continue, then configure your claims on the Attribute Mapping page.
- The main required claims to select under 'Google Directory Attributes' are: primary email, first name, and last name
- For the App attributes, enter the full URL-format ClaimType for the corresponding parameter as detailed in the Parameter Specifications section (for example, Primary Email > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
- The application is OFF for everyone by default - enable it for all users by clicking User access, selecting ON for Everyone and clicking SAVE
Updated on: 22/08/2025
Thank you!
