error_outline Only administrators can perform this action.
With Single Sign-On (SSO), you can let your users login with their school credentials. By configuring an SSO solution in Ans, you will not need any additional accounts for the users of your school. In the SSO settings, administrators can set options that will change the way how SSO works within your school in Ans. Also, you will have the option to add your own identity provider.
To navigate to the Single Sign-On menu, follow the steps below.
- Click the domain School name in the menu on the left.
- Click settingsSettings in the menu at the top.
- Click Single Sign-On in the menu on the left.
Accounts
Don't activate employee accounts at creation
The first option is a checkbox which will disable the activation of employee accounts when they are created. When this option is enabled, Ans will deactivate accounts that are created when a user signs in via Single Sign On for the first time. Admins can then activate the account via the User menu. This option is used for example when your school prefers that an introduction or training is necessary before using Ans. After the user has been instructed on how to use Ans, you can activate the accounts of the users.
Prevent SSO from creating accounts
When this option is enabled, an account will not automatically be created for an unknown user signing in via Single-Sign On. Normally, Ans will check the information of the user that wants to sign in via SSO. The exact information that is checked differs per school and depends on the mapping that is done in the SSO. If a user can't be found in Ans, it will create the user. If this option is enabled, Ans will not create a new user if the user can't be found when trying to sign in. Instead, they will be redirected to the sign-in page of Ans and they will see the message: 'You don't have permission to create an account'. You will first need to create the accounts manually, via an import, API or LTI.
SAML
Add an identity provider
Ans offers the possibility to add a custom identity provider. In order to do so, follow the steps below.
- Click the orange box New identity provider and fill in a name.
- A new page will open. In the box, 'School name', you will need to give your identity provider the name that should appear on the sign-in screen. We recommend using your school name.
- Fill in the metadata URL of your identity provider.
- Click Create.
- We will then parse the metadata URL and retrieve all relevant information.
- You will be taken to a page with all the relevant information to connect Ans to your identity provider.
- Toggle the Active for users to enable the identity provider on the Ans sign-in page.
You can go back to this page, if you want to edit the school name or if you want to delete the identity provider by going to the Single Sign-On menu and clicking on the name of the school under SAML.
It may be that you need to add mapping for the required attributes (which can be viewed in the metadata). We require you to use URN definitions:
- 'uid' => 'urn:oid:0.9.2342.19200300.100.1.1'
- 'mail' => 'urn:oid:0.9.2342.19200300.100.1.3'
- 'affiliation' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1'
- 'surname' => 'urn:oid:2.5.4.4'
- 'studentNumber' => 'urn:oid:1.3.6.1.4.1.25178.1.2.14'
- 'givenName' => 'urn:oid:2.5.4.42'
eduGAIN
To set up an eduGAIN connection, your domain needs to be registered. In order to do so, please contact support@ans.app. The support team will need the domain which is registered at eduGAIN. The list with all registered domains is available via: https://metadata.surfconext.nl/ (see below 'eduGAIN metadata'). After we've set the domain on your account, you are able to set up an eduGAIN account via the SAML Single Sign-On menu. The following additional button will appear after your domain has been added.
Press the New eduGAIN connection to start initiating the connection.
Comments
0 comments
Please sign in to leave a comment.