SchoolDay provides its institutional tenants with the web-based Single Sign-On (SSO) Platform, called Passport. Each tenant can have its custom domain name for API and web-based UI (e.g. schoolA.edu, mydistrict.edu.ca, etc).

There are two distinct scenarios for integration that rely on Passport’s OAuth Identity Provider service:

“Login with Passport” is when a Service Provider (your application) allows users to authenticate using Passport’s OAuth service. Identity of Organization can be submitted when redirecting a user to Passport’s SSO Platform to eliminate the need for a user to select organization from UI of Passport (see API documentation for further details).
“Passport initiated SSO to a Service Provider” is when a user requests access to your service from Passport’s SSO Platform (being already authenticated in Passport). In a typical workflow, the Service Provider would provide an endpoint that redirects browser agent back to Passport’s OAuth service. This redirect should use the hostname of the originating SSO request (e.g. schoolA.edu or myschool.edu.ca, etc.). The Service Provider should derive the value of hostname from SSO request (either using “Referrer” header or Passport can include that value as a parameter). An alternative simplified workflow can be considered as well. For example, Passport can start SSO by sending OAuth code or OAuth access token.

By default, OAuth access_token is valid for 12 hours and refresh_token is valid for 30 days.