Skip to main content
All CollectionsSpacesEDU ProRostering and IT Setup
Single Sign-On (SSO) - Setup Guide
Single Sign-On (SSO) - Setup Guide

This article provides the required setup steps and metadata to set up SSO for SpacesEDU Pro

Alasdair McMillan avatar
Written by Alasdair McMillan
Updated over 2 months ago

SpacesEDU supports Single Sign On (SSO) integration to provide users a seamless login experience with existing Account Management System credentials.

Account Management System refers to the user authentication and authorization system that allows users to access school computers. An example of an Account Management System is Microsoft Active Directory (AD) or Azure Active Directory (AAD).

SSO Integration Overview

As an internet based application, SpacesEDU is to be considered a SP (Service Provider) in the context of SSO. It facilitates SSO by delegating user login to the Account Management System’s IdP (Identity Provider). The following are required for successful integration:

  • The IdP must be publicly accessible on the Internet

  • The IdP must authenticate the user with the Account Management System

  • The IdP must support SAML 2.0, or WS-Federation

  • A trust must be setup between IdP and SP through either exchange of metadata or secret keys/configurations

  • The IdP must be configured to provide the claims outlined in Parameter Specifications

Parameter Specifications

Parameter

Required

Info

ClaimType

User ID

Required

Unique ID. Can be any unique string

http://schemas.xmlsoap.org/ws/2005//05/identity/claims/nameidentifier

Email

Required

District Email Address

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

First Name

Optional

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Last Name

Optional

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Student ID

Optional

State/Provincial or SIS Student Number

http://myblueprint.org/claims/studentid

User Type

Optional

(Required for staff account provisioning)

  • Teacher OR

    Secondary Teacher

  • ‘Guidance Counsellor’ OR ‘Guidance Counselor'

  • ‘Counsellor’ OR ‘Counselor’

  • Admin

  • Principal

  • Vice Principal

  • Assistant Principal

http://myblueprint.org/claims/usertype

School ID

Optional

(Required for staff account provisioning)

Unique School ID

http://myblueprint.org/claims/schoolid

Grade

Optional (Recommended)

0, 1, 2, etc.

http://myblueprint.org/claims/grade

Salutation

Optional for Staff

Mr, Mrs, Miss, Ms, M, Mme, Mlle

http://myblueprint.org/claims/salutation

  • If your data does not conform to the exact format specified, speak to your SpacesEDU IT contact.

Known Working IdPs

ADFS/SAML 2.0 Integration Steps

SpacesEDU supports any IdP implementing SAML 2.0. To proceed with setting up SSO:

  1. Access myBlueprint’s security token service metadata to be used when setting up trust between your IdP and myBlueprint:

  2. Configure your IdP to send the required claims

  3. Send your myBlueprint IT contact your IdP Metadata

  4. Provide an SSO testing account (username/email and password)

We will review and complete testing to ensure the SSO works correctly. Depending on the parameters provided, and whether data has been imported using SIS Sync or CSV Setup, users may be required to enter additional information upon first login.

Azure AD Setup Guide

  1. Azure AD integration will require Azure AD Premium to support adding an unlisted application.

  2. Access your Azure Active Directory

  3. Click Add then select Enterprise application

  4. Click Create your own application

  5. Name it SpacesEDU and click Create

  6. Click Single Sign-on in the left-hand navigation menu

  7. Click SAML

  8. Click Upload metadata file and upload the file from the link below

    1. Canadian/International School Districts: https://auth.ca.spacesedu.com/saml2

  9. Click on the pencil icon to edit 'Step 2', User Attributes & Claims, and then configure your claims (refer to Parameter Specifications)

  10. Copy the App Federation Metadata URL and send it to your Spaces contact

  11. Enable access to the application to all of your staff and student roles in Azure

    1. We recommend allowing access to all users ('Everyone') within your organization - school-specific levels of access will be controlled directly within the SpacesEDU application.

    2. For more information about assigning users to applications, see this Microsoft support article.

    3. Users not assigned to an application will receive this error message: "Error AADSTS50105 - The signed in user is not assigned to a role for the application".

    4. To resolve the error noted above, simply ensure they are assigned to a role with access to the SpacesEDU SAML app. Note that nested groups cannot be used for this purpose - groups must be directly assigned to the application.

Google Workspace Setup Guide

  1. Navigate to your Google Workspace Admin page

  2. Go to Apps > Web and Mobile Apps

  3. Click Add App and then Add custom SAML app.

  4. Enter SpacesEDU as the name of your app and click Continue

  5. Download the IdP Metadata file, and send this to your SpacesEDU implementation contact

6. Click Continue, then Set up the Service Provider details as follows.

  • Canadian/International Schools:

ACS URL: https://auth.ca.spacesedu.com/saml2/Acs
Entity ID: https://ca.spacesedu.com
  • US Schools:

ACS URL: https://auth.app.spacesedu.com/saml2/Acs
Entity ID: https://app.spacesedu.com

  • The Name ID can be any value, as long as it is unique for all users. Unless you wish to use a different value for your name ID, you can leave it set as the default (primary email, format 'undefined').

  • Click Continue, then configure your claims on the Attribute Mapping page.

  • The application is OFF for everyone by default - enable it for all users by clicking User access, selecting ON for Everyone and clicking SAVE

Did this answer your question?