SpacesEDU supports Single Sign On (SSO) integration to provide users a seamless login experience with existing Account Management System credentials.

Account Management System refers to the user authentication and authorization system that allows users to access school computers. An example of an Account Management System is Microsoft Active Directory (AD) or Azure Active Directory (AAD).

Direct Integration

As an internet based application, SpacesEDU is to be considered a SP (Service Provider) in the context of SSO. It facilitates SSO by delegating user login to the Account Management System’s IdP (Identity Provider). The following are required for successful integration:

  • The IdP must be publicly accessible on the Internet

  • The IdP must authenticate the user with the Account Management System

  • The IdP must support SAML 2.0, or WS-Federation

  • A trust must be setup between IdP and SP through either exchange of metadata or secret keys/configurations

  • The IdP must be configured to provide the claims outlined in Parameter Specifications

Parameter Specifications

Parameter

Required

Info

ClaimType

User ID

Required

Unique ID. Can be any unique string

http://schemas.xmlsoap.org/ws/2005//05/identity/claims/nameidentifier

Email

Required

District Email Address

http://schemas.xmlsoap.org/ws/2005//05/identity/claims/emailaddress

First Name

Optional

http://schemas.xmlsoap.org/ws/2005//05/identity/claims/givenname

Last Name

Optional

http://schemas.xmlsoap.org/ws/2005//05/identity/claims/surname

Student ID

Optional

State/Provincial or SIS Student Number

http://myblueprint.org/claims/studentid

User Type

Optional

(Required for staff account provisioning)

  • Secondary Teacher

  • ‘Guidance Counsellor’ OR ‘Guidance Counselor

  • ‘Counsellor’ OR ‘Counselor’

  • Admin

  • Principal

  • Vice Principal

  • Assistant Principal

http://myblueprint.org/claims/usertype

School ID

Optional

(Required for staff account provisioning)

Unique School ID

http://myblueprint.org/claims/schoolid

Grade

Optional (Recommended)

0, 1, 2, etc.

http://myblueprint.org/claims/grade

Salutation

Optional for Staff

Mr, Mrs, Miss, Ms, M, Mme, Mlle

http://myblueprint.org/claims/salutation

  • If your data does not conform to the exact format specified, speak to your SpacesEDU IT contact.

Known Working IdPs

ADFS/SAML 2.0 Integration Steps

SpacesEDU supports any IdP implementing SAML 2.0. To proceed with setting up SSO:

  1. Access myBlueprint’s security token service metadata to be used when setting up trust between your IdP and myBlueprint:

    1. Canadian/International Schools: https://auth.ca.spacesedu.com/saml2

    2. US Schools: https://auth.app.spacesedu.com/saml2

  2. Configure your IdP to send the required claims

  3. Send your myBlueprint IT contact your IdP Metadata

  4. Provide an SSO testing account (username/email and password)

We will review and complete testing to ensure the SSO works correctly. Depending on the parameters provided, and whether data has been imported using SIS Sync or CSV Setup, users may be required to enter additional information upon first login.

Azure AD Setup Guide

  1. Azure AD integration will require Azure AD Premium to support adding an unlisted application.

  2. Access your Azure Active Directory

  3. Click Add then select Enterprise application

  4. Click Create your own application

  5. Name it Spaces and click Create

  6. Click Upload metadata file and upload the file from the link below

    1. Canadian School Districts: https://auth.ca.spacesedu.com/saml2

    2. US School Districts: https://auth.app.spacesedu.com/saml2

  7. Configure your claims (refer to Parameter Specifications)

  8. Copy the App Federation Metadata URL and send it to your Spaces contact

  9. Enable access to the Spaces Application to all of your staff and student roles in Azure

    1. We recommend allowing access to all users ('Everyone') within your organization - school-specific levels of access will be controlled directly within the SpacesEDU application.

    2. For more information about assigning users to applications, see this Microsoft support article.

    3. Users not assigned to an application will receive this error message: "Error AADSTS50105 - The signed in user is not assigned to a role for the application".

    4. To resolve the error noted above, simply ensure they are assigned to a role with access to the SpacesEDU SAML app. Note that nested groups cannot be used for this purpose - groups must be directly assigned to the application.

Google Workspace Setup Guide

Google Documentation

  1. Navigate to your GSuite Admin page

  2. Click Add App and then Add custom SAML app.

  3. Enter Spaces as the name of custom app and click Continue

  4. Download the IdP Metadata file, and send this to your SpacesEDU implementation contact

  • Configure your claims. Please use the full URL-format for the attribute name as detailed in the Parameter Specifications section

Did this answer your question?