error_outline Only administrators can perform this action.
With Single Sign-On (SSO), you can let your users login with their school credentials. By configuring an SSO solution in Ans, you will not need any additional accounts for the users of your school. In the SSO settings, administrators can set options that will change the way how SSO works within your school in Ans. Also, you will have the option to add your own identity provider.
Ans currently supports three types of Single Sign On:
- SURFconext: for Dutch schools
- eduGAIN: for EU schools connected to eduGAIN
- SAML: setup a custom SSO connection via SAML (beta feature)
To navigate to the Single Sign-On menu, follow the steps below.
- Click the domain School name in the menu on the left.
- Click settingsSettings in the menu at the top.
- Click Single Sign-On in the menu on the left.
Do not activate employee accounts at creation
The first option is a checkbox which will disable the activation of employee accounts when they are created. When this option is enabled, Ans will deactivate accounts that are created when a user signs in via Single Sign On for the first time. Administrators can then activate the account via the User menu. This option is used for example when your school prefers that an introduction or training is necessary before using Ans. After the user has been instructed on how to use Ans, you can activate the accounts of the users.
Prevent SSO from creating accounts
When this option is enabled, an account will not automatically be created for an unknown user signing in via Single-Sign On. Normally, Ans will check the information of the user that wants to sign in via SSO. The exact information that is checked differs per school and depends on the mapping that is done in the SSO. If a user can not be found in Ans, it will create the user. If this option is enabled, Ans will not create a new user if the user can not be found when trying to sign in. Instead, they will be redirected to the sign-in page of Ans and they will see the message: 'You don't have permission to create an account'. You will first need to create the accounts manually, via an import, API or LTI.
- Name of the institution: the full name of the school you would like to connect to Ans.
- Name of the contact person: this is the full name of the contact person who is responsible for the SURFconext integration within your institution.
- Email of the contact person
Upon receiving the required information, the integrations team will contact SURFconext on your behalf and submit a connection request for your institution. The SURFconext support team will then process the request using the contact information provided to perform the final validation with you. After that, the connection between SURFconext and Ans is finalised.
If you experience an issue with your SURF connection, follow these steps to provide us with all the information needed to help you resolve the issue:
- Timestamp of occurrence (as specific as possible, as we receive 100+ sign-ins per minute)
Click the New eduGAIN connection to start initiating the connection.
Add an identity provider
Ans offers the possibility to add a custom identity provider. In order to do so, follow the steps below.
- Click the orange box New identity provider and fill in a name.
- A new page will open. In the box, 'School name', you will need to give your identity provider the name that should appear on the sign-in screen. We recommend using your school name.
- Fill in the metadata URL of your identity provider.
- Click Create.
- We will then parse the metadata URL and retrieve all relevant information.
- You will be taken to a page with all the relevant information to connect Ans to your identity provider.
- Toggle the Active for users to enable the identity provider on the Ans sign-in page.
You can go back to this page, if you want to edit the school name or if you want to delete the identity provider by going to the Single Sign-On menu and clicking on the name of the school under SAML.
It may be that you need to add mapping for the required attributes (which can be viewed in the metadata). We require you to use URN definitions:
- 'uid' => 'urn:oid:0.9.2342.19200300.100.1.1'
- 'mail' => 'urn:oid:0.9.2342.19200300.100.1.3'
- 'affiliation' => 'urn:oid:18.104.22.168.4.1.5922.214.171.124.1'
- 'surname' => 'urn:oid:126.96.36.199'
- 'studentNumber' => 'urn:oid:188.8.131.52.4.1.25184.108.40.206'
- 'givenName' => 'urn:oid:220.127.116.11'