Skip to main content

Authentication

Leon
  • Updated

The 'Authentication' tab allows you to manage all authentication-related settings, including configuring Single Sign-On (SSO), adjusting authentication options and managing domain names.

Single Sign-On (SSO) identity providers

Ans allows users to log in using their school credentials through Single Sign-On (SSO), eliminating the need for extra accounts. Administrators can configure SSO settings, including adding custom identity providers.

Ans supports three SSO types:

  • SURFconext: For Dutch schools
  • eduGAIN: For EU schools connected to eduGAIN
  • SAML (beta): Custom SSO setup

Key features include options to prevent automatic account creation or updates during sign-in. For proper user identification, specific SAML attributes (such as NameID, UID and email) must be correctly mapped.

For more information, read the full article here.


Authentication

Enforce Single Sign-On (SSO)

The first option within authentication is to enable authentication. This option only works if you have an SSO provider configured. You can add your own identity provider under the menu Single Sign-On. Ans also supports the use of third-party services to set up SSO. The following services are currently supported:

  • SURFconext
    To set up the authentication for SURFconext, your administrator of SURFconext can request a connection with Ans via the dashboard of SURFconext. After requesting a connection, our support team will receive a notification and they can approve the connection. Ans has all environments prepared for a connection in the SURFconext dashboard.
  • eduGAIN
    To connect your active directory via eduGAIN, the beta feature SAML Single Sign-On needs to be enabled. Please contact integrations@ans.app. The Ans support team will need the domain which is registered at eduGAIN. The list with all registered domains is available via: https://metadata.surfconext.nl/ (see below 'eduGAIN metadata'). After we have set the domain on your account, you are able to set up a eduGAIN account via the SAML Single Sign-On menu.

Enforcing SSO will prevent users from logging in with their local account. By local account, we mean an account that has been created via Ans and which is authenticated via their own created password in Ans. On our login page, the SSO login method is located at the top and below that, you can log in with your local account. Enforcing SSO will make sure access to Ans is denied if users log in via their local account. An exception to the rejection of local accounts is the option 'Use one-time password'. This option can be enabled via the taking menu during a digital test. If a student forgot the password of the account, an employee can set a one-time password which is valid for 15 minutes. This is the only way to log in outside the SSO. If the 15 minutes have passed or if the one-time password is used, the user student will need to log in via SSO the next time.

Ans has multiple possibilities to import students to your Ans instance, for example via a group import, class import or student import via the Users menu. If the option Enforce SSO is enabled, it will not be possible to send invitations to your users. The first step in the invitation workflow is sending a URL to set a password for a local account, which is not possible anymore.

Require two-factor authentication (2FA)

As an additional security measure, you can require all employees to log in to Ans with two-factor authentication (2FA). Ans supports various 2FA solutions. Requiring all employees to log in to Ans with 2FA will also be applied to administrator accounts. Disabling the setting on an individual level will not overrule this. In the case that you disable 2FA on an individual level in settings, you will be asked to set up a new 2FA when logging in again. 

When using SURFconext, employees will skip 2FA if it is enabled for them and they sign in with a SURFconext Level of Assurance (LoA) of 1.5 or higher. This approach ensures secure access while avoiding the need to enter a second factor twice. You can read more about Level of Assurance further in this article.

Owned domains

Emails within the platform are unique and can only be associated with a single school. To prevent other schools from adding users with your school domain to their school, you can register your domain name(s). Once a domain name is registered, only emails belonging to those domains can be added to your school.

To prevent misuse, only Ans support can add additional domains. If you wish to add additional domain names, please contact support.

Custom domain [Campus]

With a custom domain, Ans offers users from your school the ability to access the platform using your unique domain name, such as 'ans.yourschoolname.com'. In addition, we also support various domain extensions such as '.nl' or '.be'. This feature ensures a seamless experience for both employees and students. Moreover, using your own domain enables you to send emails through it, enhancing the authenticity of the emails received by users. 

More information on this feature can be found here.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.