SpacesEDU supports Single Sign On (SSO) integration to provide users a seamless login experience with existing Account Management System credentials.
Account Management System refers to the user authentication and authorization system that allows users to access school computers. An example of an Account Management System is Microsoft Active Directory (AD) or Azure Active Directory (AAD).
SSO Integration Overview
As an internet based application, SpacesEDU is to be considered a SP (Service Provider) in the context of SSO. It facilitates SSO by delegating user login to the Account Management System’s IdP (Identity Provider). The following are required for successful integration:
The IdP must be publicly accessible on the Internet
The IdP must authenticate the user with the Account Management System
The IdP must support SAML 2.0, or WS-Federation
A trust must be setup between IdP and SP through either exchange of metadata or secret keys/configurations
The IdP must be configured to provide the claims outlined in Parameter Specifications
Parameter Specifications
Parameter | Required | Info | ClaimType |
User ID | Required | Unique ID. Can be any unique string | http://schemas.xmlsoap.org/ws/2005//05/identity/claims/nameidentifier |
Required | District Email Address | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | |
First Name | Optional |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
Last Name | Optional |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
Student ID | Optional | State/Provincial or SIS Student Number | http://myblueprint.org/claims/studentid |
User Type | Optional (Required for staff account provisioning) |
| http://myblueprint.org/claims/usertype |
School ID | Optional (Required for staff account provisioning) | Unique School ID | http://myblueprint.org/claims/schoolid |
Grade | Optional (Recommended) | 0, 1, 2, etc. | http://myblueprint.org/claims/grade |
Salutation | Optional for Staff | Mr, Mrs, Miss, Ms, M, Mme, Mlle | http://myblueprint.org/claims/salutation
|
If your data does not conform to the exact format specified, speak to your SpacesEDU IT contact.
Known Working IdPs
ADFS/SAML 2.0 Integration Steps
SpacesEDU supports any IdP implementing SAML 2.0. To proceed with setting up SSO:
Access myBlueprint’s security token service metadata to be used when setting up trust between your IdP and myBlueprint:
Canadian/International Schools: https://auth.ca.spacesedu.com/saml2
US Schools: https://auth.app.spacesedu.com/saml2
Configure your IdP to send the required claims
Send your myBlueprint IT contact your IdP Metadata
Provide an SSO testing account (username/email and password)
We will review and complete testing to ensure the SSO works correctly. Depending on the parameters provided, and whether data has been imported using SIS Sync or CSV Setup, users may be required to enter additional information upon first login.
Azure AD Setup Guide
Azure AD integration will require Azure AD Premium to support adding an unlisted application.
Access your Azure Active Directory
Click Add then select Enterprise application
Click Create your own application
Name it SpacesEDU and click Create
Click Single Sign-on in the left-hand navigation menu
Click SAML
Click Upload metadata file and upload the file from the link below
Canadian/International School Districts: https://auth.ca.spacesedu.com/saml2
US School Districts: https://auth.app.spacesedu.com/saml2
Click on the pencil icon to edit 'Step 2', User Attributes & Claims, and then configure your claims (refer to Parameter Specifications)
Copy the App Federation Metadata URL and send it to your Spaces contact
Enable access to the application to all of your staff and student roles in Azure
We recommend allowing access to all users ('Everyone') within your organization - school-specific levels of access will be controlled directly within the SpacesEDU application.
For more information about assigning users to applications, see this Microsoft support article.
Users not assigned to an application will receive this error message: "Error AADSTS50105 - The signed in user is not assigned to a role for the application".
To resolve the error noted above, simply ensure they are assigned to a role with access to the SpacesEDU SAML app. Note that nested groups cannot be used for this purpose - groups must be directly assigned to the application.
Google Workspace Setup Guide
Navigate to your Google Workspace Admin page
Go to Apps > Web and Mobile Apps
Click Add App and then Add custom SAML app.
Enter SpacesEDU as the name of your app and click Continue
Download the IdP Metadata file, and send this to your SpacesEDU implementation contact
6. Click Continue, then Set up the Service Provider details as follows.
Canadian/International Schools:
ACS URL: https://auth.ca.spacesedu.com/saml2/Acs
Entity ID: https://ca.spacesedu.com
US Schools:
ACS URL: https://auth.app.spacesedu.com/saml2/Acs
Entity ID: https://app.spacesedu.com
The Name ID can be any value, as long as it is unique for all users. Unless you wish to use a different value for your name ID, you can leave it set as the default (primary email, format 'undefined').
Click Continue, then configure your claims on the Attribute Mapping page.
The main required claims to select under 'Google Directory Attributes' are: primary email, first name, and last name
For the App attributes, enter the full URL-format ClaimType for the corresponding parameter as detailed in the Parameter Specifications section (for example, Primary Email > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
The application is OFF for everyone by default - enable it for all users by clicking User access, selecting ON for Everyone and clicking SAVE