The 'Authentication' tab allows you to manage all authentication-related settings, including configuring Single Sign-On (SSO), adjusting authentication options and managing domain names.
Single Sign-On (SSO) identity providers
Ans allows users to log in using their school credentials through Single Sign-On (SSO), eliminating the need for extra accounts. Administrators can configure SSO settings, including adding custom identity providers.
Ans supports three SSO types:
- SURFconext: For Dutch schools
- eduGAIN: For EU schools connected to eduGAIN
- SAML (beta): Custom SSO setup
Key features include options to prevent automatic account creation or updates during sign-in. For proper user identification, specific SAML attributes (such as NameID, UID and email) must be correctly mapped.
For more information, read the full article here.
Authentication
Enforce Single Sign-On (SSO)
The first option within authentication is to enable authentication. This option only works if you have an SSO provider configured. You can add your own identity provider under the menu Single Sign-On. Ans also supports the use of third-party services to set up SSO. The following services are currently supported:
-
SURFconext
To set up the authentication for SURFconext, your administrator of SURFconext can request a connection with Ans via the dashboard of SURFconext. After requesting a connection, our support team will receive a notification and they can approve the connection. Ans has all environments prepared for a connection in the SURFconext dashboard.- Production: https://ans.app/
- Stage: https://stage.ans.app/
- Education: https://edu.ans.app/
-
eduGAIN
To connect your active directory via eduGAIN, the beta feature SAML Single Sign-On needs to be enabled. Please contact integrations@ans.app. The Ans support team will need the domain which is registered at eduGAIN. The list with all registered domains is available via: https://metadata.surfconext.nl/ (see below 'eduGAIN metadata'). After we have set the domain on your account, you are able to set up a eduGAIN account via the SAML Single Sign-On menu.
Enforcing SSO will prevent users from logging in with their local account. By local account, we mean an account that has been created via Ans and which is authenticated via their own created password in Ans. On our login page, the SSO login method is located at the top and below that, you can log in with your local account. Enforcing SSO will make sure access to Ans is denied if users log in via their local account. An exception to the rejection of local accounts is the option 'Use one-time password'. This option can be enabled via the taking menu during a digital test. If a student forgot the password of the account, an employee can set a one-time password which is valid for 15 minutes. This is the only way to log in outside the SSO. If the 15 minutes have passed or if the one-time password is used, the user student will need to log in via SSO the next time. Using a one-time password only grants access to a single assignment. It does not allow access to other assignments or other parts of the platform.
Ans has multiple possibilities to import students to your Ans instance, for example via a group import, class import or student import via the Users menu. If the option Enforce SSO is enabled, it will not be possible to send invitations to your users. The first step in the invitation workflow is sending a URL to set a password for a local account, which is not possible anymore.
Require two-factor authentication (2FA)
As an additional security measure, you can require all employees to log in to Ans with two-factor authentication (2FA). Ans supports various 2FA solutions. Requiring all employees to log in to Ans with 2FA will also be applied to administrator accounts. Disabling the setting on an individual level will not overrule this. In the case that you disable 2FA on an individual level in settings, you will be asked to set up a new 2FA when logging in again.
Domain names
Emails within the platform are unique and can only be associated with a single school. To prevent other schools from adding users with your school domain to their school, you can register your domain name(s). Once a domain name is registered, only emails belonging to those domains can be added to your school.
To prevent misuse, only Ans support can add additional domains. If you wish to add additional domain names, please contact support.
Custom domain [Campus]
With a custom domain, Ans offers users from your school the ability to access the platform using your unique domain name, such as 'ans.yourschoolname.com'. In addition, we also support various domain extensions such as '.nl' or '.be'. This feature ensures a seamless experience for both employees and students. Moreover, using your own domain enables you to send emails through it, enhancing the authenticity of the emails received by users.
More information on this feature can be found here.
Who can invite external users [Campus]
External users can be invited to courses or question banks within your school. With this setting, administrators can choose who is allowed to invite external users from outside the school.
-
Anyone
External users can join via invitation links. Administrators can also invite them manually.
-
Only administrators
External users must be invited manually by an administrator by creating an external user account. The invitation link will no longer work for external users. The message 'Your school has disabled invitation links for external users.' appears in the 'Add contributors' and 'Add learners' screen in the question bank and courses.
Comments
0 comments
Please sign in to leave a comment.