How to Get Started with SSO
Once you have the customers’ data, you can initiate an SSO authentication between School Passport and your application. Select a required flow and an SSO mechanism from the available options. After that, provide the necessary information related to that specific SSO mechanism to [email protected].
After configuring SSO, you will be granted access to a Sandbox environment to test your application. This environment allows you to evaluate and validate the functionality of your application in a controlled setting, ensuring its proper operation before deploying it in a live environment. Once testing has been completed successfully, you will be provided access to the Production environment.
Supported SSO flows
These are the following SSO flows supported:
- Publishing the “Login with…” button on the login page of your application: Users will initiate SSO by clicking the button on the login screen of your application and GG4L will federate authentication independent of the authentication provider that the customer is using (including Active Directory, AD FS, Google Workspace, LMS or SIS systems etc).
- SSO from School Portal / GG4L / LMS / SIS etc into your application: Users will initiate SSO from outside of your application and GG4L will perform SSO based on the technology that you selected.
- School Passport as SSO provider for your application: School Passport will behave as an SSO backend and you could embed SSO into your application.
OAuth SSO
OAuth SSO supports the OAuth 2.0 API and follows industry-standard implementations.
Note:
Self-configuration is required, no additional information is needed.
To get started with OAuth-based SSO:
- Request a test account from [email protected]. You will receive user credentials (username and password) and API credentials (Base URL, Client ID, and Secret Key).
- Initiate the SSO process with the URL below. In the URL, replace
{client_id}
with your Client ID and{redirect_uri}
with the URL of your application:
https://schoolpassport.gg4l.com/oauth/auth?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}
- Upon the initial HTTP GET request, get
code
parameter to the specifiedredirect_uri
, according to Authorization Request endpoint. - Use
code
to get an OAuth token through a server-to-server API call, according to Access Token Request endpoint. - Retrieve the user's basic profile information, according to Access to user's identity information endpoint.
Tip:
We suggest using email addresses for identifying users (SIS IDs and GUIDs are available as well).
SAML SSO
The supported version is SAML 2.0. Both IdP- and SP-initiated workflows are available.
To get started with SAML-based SSO, request a test account from [email protected] and provide the following information:
- File or URL of School Passport metadata
- Required SSO initiation type (IdP- or SP-initiated)
- The desired NameID format
- Enumeration of additional SAML attributes for assertion
- (Optional) Create a test account in your application and provide its credentials (username and password).
Once the email is sent, GG4L Team will set up integration and get back to you with confirmation.
LTI SSO
The supported version is LTI v1.0 basic-lti-launch-request
.
GG4L will send the following sample parameters and any additional required by your Application:
Iti_version: LTI-1p0
Iti_message_type: basic-iti-launch-request user_id=ZYX
oauth_consumer_key=XYZ
oauth_signature_method=HMAC-SH A1
oauth_timestamp=1244834250
oauth_nonce=1244834250435893000
oauth_version=1.0
oauth_signature=Xddn2A%2BjzwjgBIVYkvigaKxCdcc%3D
oauth callback=about.biank
To get started with LTI-based SSO, request a test account from [email protected] and provide the following information:
- Your Application URL (where you will receive LTI messages)
- OAuth credentials (Client ID and Secret Key for message signing)
- List of attributes that should be included in the LTI message
- All necessary information for the test account setup, including required attributes
Once the email is sent, GG4L Team will set up integration and get back to you with confirmation.
Password Vault SSO
Use Password Vault SSO mechanism only if none of the mentioned earlier standards-based SSOs are compatible with your application. Please note that this mechanism is considered less secure and operates by injecting passwords or submitting them via HTTP forms over HTTPS.
To get started with Password Vault SSO, request a test account from [email protected] and provide the following information:
- Login page of your application
- Username and Password of a test account
- Any additional information that is needed for logging in to your application.
Once the email is sent, GG4L Team will set up integration and get back to you with confirmation.
Updated 7 months ago