SAML SSO Integration
SAML Single Sign-On (SSO) Setup and Configuration
- In your System Admin account, click Tools in the header, then choose School Management.
- Click the Authentication tab.
- Click Cloud/On Premise Directory.
- Select the SAML option.
- Fill in the fields in the SAML Settings area.
- SP Entity ID: Enter the custom ID if two organizations need to use the same Identity Provider (IdP). Most installations can leave this blank.
- ID Attribute: Enter the SAML attribute used to identify the Schoology account. Leave blank to use Name ID as the attribute.
- Match ID to Schoology Account Using: SAML requires matching an attribute from the SAML Server (IdP) to the Schoology attribute you select in this menu. Common SAML attributes include mail, sAMAccountName, or UserID. Depending on the configuration of your IdP, attribute names may be sent as URNs, such as urn:oid:1.3.6.1.4.1.14519.1.1. Select the field in Schoology you will match to the SAML ID attribute:
- Username
- Unique ID
- Error URL: Enter the URL to which to direct users if an error occurs. If left blank, a Schoology-generated error page will be used.
- Metadata URL: Enter your SAML Identity Provider (IdP) Metadata URL.
- If using ADFS as a SAML IdP, you would enter https://[ADFS Server Host]/FederationMetadata/2007-06/FederationMetadata.xml.
After entering the Metadata URL, click Fill Fields Below from the Metadata URL button that displays to automatically fill in the rest of the fields. Optional: You may also fill in the Login URL, Logout URL, X.509 Certificate fields manually.
If using a custom subdomain or custom domain, the SP Metadata URL should contain the custom domain. If you go to Schoology without using the custom domain, the metadata URL listed on the config page will be incorrect (as it will not contain the custom domain).- In the Logout Type menu, select:
- Standard: For standard logout, users are directed to the page specified in the Logout URL field after logout. (For example, the homepage for a district or college.) When users log out of Schoology, they may still be logged into the SAML server until they close the browser window. This means that when they navigate back to the account's domain or custom subdomain, they're still logged into Schoology. Many SAML providers have an option that allows the user to log out completely after logging out of Schoology. For example, if you're using ADFS, you would select Standard in the Logout Type menu, and in the Logout URL field enter https://[ADFS Server Host]/adfs/ls/IdpInitiatedSignon.aspx.
- SLO: Select for SAML Single Logout – that is, users are logged out of all logged-in SAML services. SLO must be configured on your IdP to use this option. Enter the SLO endpoint in the Logout URL field. or example, For ADFS, the SLO endpoint is typically https://[ADFS Server Host]/adfs/ls/?wa=wsignout1.0.
- X.509 Certificate: Paste the token-signing certificate for the SSO request here. Make sure this matches the current certificate in your metadata.
- Click Save Changes.
- Use the SP Metadata URL listed at the top of the page to configure the Schoology metadata in your SAML IdP. This URL will not contain metadata until you have fully configured the SAML integration in Schoology and saved your settings.
- If you are using a custom domain or subdomain, click the Custom Domain tab. Change the Landing Page field from Schoology Log In Page to SAML Login Page and click Save Changes. This step must be completed so that navigating to your custom domain or subdomain will automatically kick off the SAML workflow.
- To prevent students and teachers from logging in outside of your Custom Domain or Subdomain, System Administrators can enable the permission for specific roles to Ensure user logs in using an external authentication provider.
You can now test the SAML login workflow by going to https://[Custom Domain]/login/saml.