error_outline Only administrators can perform this action.
With Single Sign-On (SSO), you can let your users login with their school credentials. By configuring an SSO solution in Ans, you will not need any additional accounts for the users of your school. In the SSO settings, administrators can set options that will change the way how SSO works within your school in Ans. Also, you will have the option to add your own identity provider.
Ans currently supports three types of Single Sign On:
- SURFconext: for Dutch schools
- eduGAIN: for EU schools connected to eduGAIN
- SAML: setup a custom SSO connection via SAML (beta feature)
To navigate to the Single Sign-On menu, follow the steps below.
- Click the domainSchool name in the menu on the left.
- Click settingsSettings in the menu at the top.
- Click Single Sign-On in the menu on the left.
Accounts
Prevent SSO from creating accounts
When this option is enabled, an account will not automatically be created for an unknown user signing in via Single-Sign On. Normally, Ans will check the information of the user that wants to sign in via SSO. The exact information that is checked differs per school and depends on the mapping that is done in the SSO. If a user can not be found in Ans, it will create the user. If this option is enabled, Ans will not create a new user if the user can not be found when trying to sign in. Instead, they will be redirected to the sign-in page of Ans and they will see the message: 'You don't have permission to create an account'. You will first need to create the accounts manually, via an import, API or LTI.
Prevent SSO from updating accounts
When this option is enabled, an account will not automatically be updated for existing users signing in via Single-Sign On. When disabled, changes made to a known account before (e.g. first name, last name) will be updated when existing users sign in via Single-Sign On.
Data used for SSO
No matter which identity provider you use—SURFconext, eduGAIN, or a provider of your choice—Ans relies on specific SAML attributes to identify users. These attributes are:
- NameID
- UID
- Student number - if applicable
- Email
If you choose to use an identity provider other than SURFconext or eduGAIN, ensure that these attributes are correctly mapped within your provider’s configuration. This ensures seamless authentication and proper user identification within Ans.
SURFconext
- Name of the institution: the full name of the school you would like to connect to Ans.
- Name of the contact person: this is the full name of the contact person who is responsible for the SURFconext integration within your institution.
- Email of the contact person
Upon receiving the required information, the integrations team will contact SURFconext on your behalf and submit a connection request for your institution. The SURFconext support team will then process the request using the contact information provided to perform the final validation with you. After that, the connection between SURFconext and Ans is finalised.
If you experience an issue with your SURF connection, follow these steps to provide us with all the information needed to help you resolve the issue:
- Timestamp of occurrence (as specific as possible, as we receive 100+ sign-ins per minute)
- Output of https://engine.surfconext.nl/authentication/sp/debug
eduGAIN
Click the New eduGAIN connection to start initiating the connection.
SAML (beta)
Add an identity provider
error_outline This option is available through beta features, read more about beta features here.
Ans offers the possibility to add a custom identity provider. In order to do so, follow the steps below.
- Click the orange box New identity provider and fill in a name.
- A new page will open. In the box, 'School name', you will need to give your identity provider the name that should appear on the sign-in screen. We recommend using your school name.
- Fill in the metadata URL of your identity provider.
- Click Create.
- We will then parse the metadata URL and retrieve all relevant information.
- You will be taken to a page with all the relevant information to connect Ans to your identity provider.
- Toggle the Active for users to enable the identity provider on the Ans sign-in page.
You can go back to this page, if you want to edit the school name or if you want to delete the identity provider by going to the Single Sign-On menu and clicking on the name of the school under SAML.
It may be that you need to add mapping for the required attributes (which can be viewed in the metadata). We require you to use URN definitions:
- 'uid' => 'urn:oid:0.9.2342.19200300.100.1.1'
- 'mail' => 'urn:oid:0.9.2342.19200300.100.1.3'
- 'affiliation' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1'
- 'surname' => 'urn:oid:2.5.4.4'
- 'studentNumber' => 'urn:oid:1.3.6.1.4.1.25178.1.2.14'
- 'givenName' => 'urn:oid:2.5.4.42'
Comments
0 comments
Please sign in to leave a comment.