All Collections
SpacesEDU Pro
Single Sign-On (SSO) - Setup Guide
Single Sign-On (SSO) - Setup Guide
This article provides the required setup steps and metadata to set up SSO for SpacesEDU Pro
Alasdair McMillan avatar
Written by Alasdair McMillan
Updated over a week ago

SpacesEDU supports Single Sign On (SSO) integration to provide users a seamless login experience with existing Account Management System credentials.

Account Management System refers to the user authentication and authorization system that allows users to access school computers. An example of an Account Management System is Microsoft Active Directory (AD) or Azure Active Directory (AAD).

Direct Integration

As an internet based application, SpacesEDU is to be considered a SP (Service Provider) in the context of SSO. It facilitates SSO by delegating user login to the Account Management System’s IdP (Identity Provider). The following are required for successful integration:

  • The IdP must be publicly accessible on the Internet

  • The IdP must authenticate the user with the Account Management System

  • The IdP must support SAML 2.0, or WS-Federation

  • A trust must be setup between IdP and SP through either exchange of metadata or secret keys/configurations

  • The IdP must be configured to provide the claims outlined in Parameter Specifications

Parameter Specifications

Parameter

Required

Info

ClaimType

User ID

Required

Unique ID. Can be any unique string

Email

Required

District Email Address

First Name

Optional

Last Name

Optional

Student ID

Optional

State/Provincial or SIS Student Number

User Type

Optional

(Required for staff account provisioning)

  • Teacher OR

    Secondary Teacher

  • ‘Guidance Counsellor’ OR ‘Guidance Counselor'

  • ‘Counsellor’ OR ‘Counselor’

  • Admin

  • Principal

  • Vice Principal

  • Assistant Principal

School ID

Optional

(Required for staff account provisioning)

Unique School ID

Grade

Optional (Recommended)

0, 1, 2, etc.

Salutation

Optional for Staff

Mr, Mrs, Miss, Ms, M, Mme, Mlle

  • If your data does not conform to the exact format specified, speak to your SpacesEDU IT contact.

Known Working IdPs

ADFS/SAML 2.0 Integration Steps

SpacesEDU supports any IdP implementing SAML 2.0. To proceed with setting up SSO:

  1. Access myBlueprint’s security token service metadata to be used when setting up trust between your IdP and myBlueprint:

  2. Configure your IdP to send the required claims

  3. Send your myBlueprint IT contact your IdP Metadata

  4. Provide an SSO testing account (username/email and password)

We will review and complete testing to ensure the SSO works correctly. Depending on the parameters provided, and whether data has been imported using SIS Sync or CSV Setup, users may be required to enter additional information upon first login.

Azure AD Setup Guide

  1. Azure AD integration will require Azure AD Premium to support adding an unlisted application.

  2. Access your Azure Active Directory

  3. Click Add then select Enterprise application

  4. Click Create your own application

  5. Name it SpacesEDU and click Create

  6. Click Single Sign-on in the left-hand navigation menu

  7. Click SAML

  8. Click Upload metadata file and upload the file from the link below

    1. Canadian School Districts: https://auth.ca.spacesedu.com/saml2

  9. Click on the pencil icon to edit 'Step 2', User Attributes & Claims, and then configure your claims (refer to Parameter Specifications)

  10. Copy the App Federation Metadata URL and send it to your Spaces contact

  11. Enable access to the application to all of your staff and student roles in Azure

    1. We recommend allowing access to all users ('Everyone') within your organization - school-specific levels of access will be controlled directly within the SpacesEDU application.

    2. For more information about assigning users to applications, see this Microsoft support article.

    3. Users not assigned to an application will receive this error message: "Error AADSTS50105 - The signed in user is not assigned to a role for the application".

    4. To resolve the error noted above, simply ensure they are assigned to a role with access to the SpacesEDU SAML app. Note that nested groups cannot be used for this purpose - groups must be directly assigned to the application.

Google Workspace Setup Guide

  1. Navigate to your GSuite Admin page

  2. Click Add App and then Add custom SAML app.

  3. Enter Spaces as the name of custom app and click Continue

  4. Download the IdP Metadata file, and send this to your SpacesEDU implementation contact

  • Configure your claims. Please use the full URL-format for the attribute name as detailed in the Parameter Specifications section

Did this answer your question?