Coursedog

Submit a Ticket My Tickets
Welcome
Login  Sign up

Single Sign On (SSO) Integration


Overview

Coursedog provides a seamless login experience for your users through single sign on (SSO). In short, SSO allows users that are authenticated into their student information system (SIS) portal to authenticate directly into Coursedog with the click of a button. This eliminates the need for users to create and keep track of a new username and password.

Coursedog integrates with your identity provider through a standard SP SAML (Shibboleth) and CAS protocols. Identity providers include Okta, AWS, Ping Identity, Azure, etc.


This page will guide you through the configuration as well as the end user experience (scroll past the configuration section).


Configuration

Coursedog offers identity management administrators the tools to set-up SSO in a few easy steps.

Assumptions

  • Your institution has a unique identifier. 
    • email address (recommended) as the unique identifier for a user and there is a 1:1 relationship of user to email (i.e. users don't have multiple email addresses). 
    • Unique ID - A unique identifier such as an employee, or student id (e.g. EMPLID, PIDM). 
  • Users outside of your authentication domain can be set to authenticate via username and password on the individual account level

Before you Begin

Coursedog provides you with a non-production(staging) instance where you should test all SSO related configuration changes before configuring production.  


Don't lock yourself out!  Please create a secondary Coursedog Super Admin account for yourself whose authentication method is set to Password. You may need the secondary account in the case where your SSO configuration is not correct.

  • Ensure Roles is set to Super Admin
  • Ensure Products is set to Admin and at least one other product

Ensure the Login Method is set to Password.  This means that the password you've configured for the user in Coursedog will be used at log in time rather than the SSO process.

Assets

            

  • Select "SAML" or "CAS" from the drop down.

     
    Note: Once you make this selection it will disable username and password authentication for existing users Authentication Method = Default set to their profile. Given that, you may want to notify teammates when you are in the configuration and testing process. We recommend setting it back to password until you have SSO configured for the environment.

    You can review/do the Authentication Method value set in: Coursedog > Scheduling > Settings > Users > look up user account

SAML Configuration

  • SP SAML Configuration: Now we will want to fill out each setting as follows for SP SAML (Skip below for CAS).  
    Below is a sample screenshot of a SAML SP configuration that does not use Single Logout (SLO).


  • SAML Certificate/Meta Data: Paste in the value for your ds:X509Certificate. Typically this is found in your certificate file.

    Note: If OpenID and through AzureAD, please provide your tenant ID to you CS representative. The Coursedog client ID is: b5587ee3-25e3-41b7-84a1-ee35fae192c8


    Note: Coursedog SAML implementation requires the usage of SHA-256 algorithm for certificate signature.   

    Coursedog Metadata Example (See ds:X509Certificate): https://staging.coursedog.com/metadata.xml

            

  • SAML Login URL: URL that will take the user to an SP SAML login page
    e.g. https://elbert.edu/sso/saml
  • SAML Logout URL: Only set if using Single Logout (SLO):
        Note: Most schools leave this blank.
  • Redirect: Set to TRUE if not using SLO Note: if TRUE, you must enter a value in the SAML Redirect URL.
  • SAML Redirect URL: This is where you redirect the user upon logout. *Required if Redirect is True
        Note: Typically this will be the same as the redirect page above (e.g. https://elbert.edu/sso/saml)
  • Attribute (SAML Field):This is how Coursedog associates users between the system. It is used to map the fields returned from the SAML response to our internal fields. This is required for SSO to function. 
    • Attribute (School SAML Field): To obtain the correct value look in a sample SAML response for an email address value. Typically it is found in the NameID. 

    Note: Even if/when the user identity doesn't rely on NameID to match the authenticated user identity from the Identity Provider, this is a mandatory attribute to the SAML Assertion Response and authentication will not be possible if that attribute is missing. If that's the case on your Identity Provider Service, please refer to it's documentation on how to map and share NameID properly. 
    For Azure/Office365 or ADFS SSO implementations, most partners utilize email to authenticate users. If this is true for your institution, please validate the Attribute (SAML field) can be configured to the following per your service metadata XML: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • For Shibboleth you will want to ensure the NameID is set to be 'transient' as opposed to 'persistent'. We also recommend using the URN for the Attribute field as well (see below). Typically we see most institutions use 'mail'.

    Note: We've noticed examples where the sample response contained NameID but produced an "unable to verify user identity" error. This can sometimes be resolved by changing the Attribute value in Coursedog to be NameID.
    SAML

  • Coursedog evaluates the URN value as well:

    • User Property (Coursedog Field): Map the unique identifier value passed from your institution to a Coursedog field. The two options are to a unique email address, or InstitutionID.
    • Attribute (SAML Field):This is how Coursedog associates users between the system. It is used to map the fields returned from the SAML response to our internal fields. This is required for SSO to function. 
  • Audience (SAML Conditions): SAML protocol requires the Identity Provider (Okta, ADFS, or any other) to point the the target Service Provider (Coursedog) as one of the valid entries inside the Conditions.AudienceRestrictions.Audience node in the SAML assertion. The correct value can be retrieved from the entityID in the Coursedog metadata.xml file. 
    The images below show where to retrieve the data from, and how it must appear on your SAML Assertion Response.

This is a partial image on a valid SAML Assertion Response.

CAS Configuration

  • CAS Configuration: Now we will want to fill out each setting as follows for CAS. 
    Note: Coursedog referrer will be staging.coursedog.com/casArrival and app.coursedog.com/casArrival.
    • Authentication Method: CAS
    • CAS Server URL: URL for your CAS server (e.g. https://elbert.edu/cas)
    • CAS Redirect URL: Where to send the user upon logout (e.g. https://elbert.edu/logout)
    • CAS Protocol: Coursedog supports versions 2 and 3 (default is 3.0)
    • Attribute (SAML Field):This is how Coursedog associates users between the system. It is used to map the fields returned from the CAS response to our internal fields. This is required for SSO to function. 
      • Attribute (School CAS Field): To obtain the correct value look in a sample SACASML response for an email address value. Typically it is found in the email
      • User Property (Coursedog Field): Typically default to email, but can also be InstitutionID for V2See example below:


Congrats! Once you are confident in the configuration it is time to begin testing. Make sure you have access to a user and your logs. 


User Experience (Testing your configuration)

Login

With SSO enabled the user types in their email address into the login page and is redirected to their own institution login page rather than asking them for their password.


We use the entered email address to determine which school they belong to and therefore where to redirect them. Once redirected, the user then logs in as usual on their standard institution login page:



Note: If you prefer to avoid having the user enter their email address before redirect then give your users a URL of the form: /login/<school id> 

    https://staging.coursedog.com/#/login/<myschool>

    https://app.coursedog.com/#/login/<myschool>


When users access the url they are redirected to the institution portal/login page rather than starting in Coursedog

Logout

When users log out of Coursedog, we can invoke a SAML logout (SLO), or redirect them to a page of their choice. 

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.