How to Get Started with SSO

Suggest Edits

Once you have the customers’ data, you can initiate an SSO authentication between School Passport and your application. Select a required flow and an SSO mechanism from the available options. After that, provide the necessary information related to that specific SSO mechanism to [email protected].

After configuring SSO, you will be granted access to a Sandbox environment to test your application. This environment allows you to evaluate and validate the functionality of your application in a controlled setting, ensuring its proper operation before deploying it in a live environment. Once testing has been completed successfully, you will be provided access to the Production environment.

Supported SSO flows

These are the following SSO flows supported:

  • Publishing the “Login with…” button on the login page of your application: Users will initiate SSO by clicking the button on the login screen of your application and GG4L will federate authentication independent of the authentication provider that the customer is using (including Active Directory, AD FS, Google Workspace, LMS or SIS systems etc).
  • SSO from School Portal / GG4L / LMS / SIS etc into your application: Users will initiate SSO from outside of your application and GG4L will perform SSO based on the technology that you selected.
  • School Passport as SSO provider for your application: School Passport will behave as an SSO backend and you could embed SSO into your application.

OAuth SSO

OAuth SSO supports the OAuth 2.0 API and follows industry-standard implementations.

📘

Note:

Self-configuration is required, no additional information is needed.

To get started with OAuth-based SSO:

  1. Request a test account from [email protected]. You will receive user credentials (username and password) and API credentials (Base URL, Client ID, and Secret Key).
  2. Initiate the SSO process with the URL below. In the URL, replace {client_id} with your Client ID and {redirect_uri} with the URL of your application:
    https://schoolpassport.gg4l.com/oauth/auth?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}
  3. Upon the initial HTTP GET request, get code parameter to the specified redirect_uri, according to Authorization Request endpoint.
  4. Use code to get an OAuth token through a server-to-server API call, according to Access Token Request endpoint.
  5. Retrieve the user's basic profile information, according to Access to user's identity information endpoint.

👍

Tip:

We suggest using email addresses for identifying users (SIS IDs and GUIDs are available as well).

SAML SSO

The supported version is SAML 2.0. Both IdP- and SP-initiated workflows are available.

Download SAML metadata

To get started with SAML-based SSO, request a test account from [email protected] and provide the following information:

  • File or URL of School Passport metadata
  • Required SSO initiation type (IdP- or SP-initiated)
  • The desired NameID format
  • Enumeration of additional SAML attributes for assertion
  • (Optional) Create a test account in your application and provide its credentials (username and password).

Once the email is sent, GG4L Team will set up integration and get back to you with confirmation.

LTI SSO

The supported version is LTI v1.0 basic-lti-launch-request.

GG4L will send the following sample parameters and any additional required by your Application:

  • Iti_version: LTI-1p0
  • Iti_message_type: basic-iti-launch-request user_id=ZYX
  • oauth_consumer_key=XYZ
  • oauth_signature_method=HMAC-SH A1
  • oauth_timestamp=1244834250
  • oauth_nonce=1244834250435893000
  • oauth_version=1.0
  • oauth_signature=Xddn2A%2BjzwjgBIVYkvigaKxCdcc%3D
  • oauth callback=about.biank

To get started with LTI-based SSO, request a test account from [email protected] and provide the following information:

  • Your Application URL (where you will receive LTI messages)
  • OAuth credentials (Client ID and Secret Key for message signing)
  • List of attributes that should be included in the LTI message
  • All necessary information for the test account setup, including required attributes

Once the email is sent, GG4L Team will set up integration and get back to you with confirmation.

Password Vault SSO

Use Password Vault SSO mechanism only if none of the mentioned earlier standards-based SSOs are compatible with your application. Please note that this mechanism is considered less secure and operates by injecting passwords or submitting them via HTTP forms over HTTPS.

To get started with Password Vault SSO, request a test account from [email protected] and provide the following information:

  • Login page of your application
  • Username and Password of a test account
  • Any additional information that is needed for logging in to your application.

Once the email is sent, GG4L Team will set up integration and get back to you with confirmation.

Updated 6 days ago

What’s Next