Coursedog provides a seamless login experience for your users through single sign on (SSO). In short, SSO allows users that are authenticated into their student information system (SIS) portal to authenticate directly into Coursedog with the click of a button. This eliminates the need for users to create and keep track of a new username and password.
Coursedog integrates with your identity provider through a standard SP SAML (Shibboleth) and CAS protocols. Identity providers include Okta, AWS, Ping Identity, Azure, etc.
This page will guide you through the configuration as well as the end user experience (scroll past the configuration section).
Coursedog offers identity management administrators the tools to set-up SSO in a few easy steps.
- Your institution has a unique identifier.
- email address (recommended) as the unique identifier for a user and there is a 1:1 relationship of user to email (i.e. users don't have multiple email addresses).
- Unique ID - A unique identifier such as an employee, or student id (e.g. EMPLID, PIDM).
- Users outside of your authentication domain can be set to authenticate via username and password on the individual account level
- Configure your system to accept Coursedog
- Log into the Coursedog admin console with the credentials provided to you by your customer service (CS) representative and navigate to the "Admin" screen (use the navigation in the upper right hand corner). This should launch you into the "Settings" tab. Scroll down to the "Auth Settings" section on the right.
- Select "SAML" or "CAS" from the drop down.
Note: Once you make this selection it will disable username and password authentication for existing users. Given that, you may want to notify teammates when you are in the configuration and testing process. We recommend setting it back to password until you have SSO configured for the environment.
SP SAML Configuration: Now we will want to fill out each setting as follows for SP SAML (Skip below for CAS).
Below is a sample screenshot of a SAML SP configuration that does not use Single Logout (SLO).
- SAML Certificate/Meta Data: Paste in the value for your ds:X509Certificate. Typically this is found in your certificate file.
Note: If OpenID and through AzureAD, please provide your tenant ID to you CS representative. The Coursedog client ID is: b5587ee3-25e3-41b7-84a1-ee35fae192c8
Coursedog Metadata Example (See ds:X509Certificate): https://staging.coursedog.com/metadata.xml
- SAML Login URL: URL that will take the user to an SP SAML login page
- SAML Logout URL: Only set if using Single Logout (SLO):
Note: Most schools leave this blank.
- Redirect: Set to TRUE if not using SLO Note: if TRUE, you must enter a value in the SAML Redirect URL.
- SAML Redirect URL: This is where you redirect the user upon logout. *Required if Redirect is True
Note: Typically this will be the same as the redirect page above (e.g. https://elbert.edu/sso/saml)
- Attribute (SAML Field):This is how Coursedog associates users between the system. It is used to map the fields returned from the SAML response to our internal fields. This is required for SSO to function.
- Attribute (School SAML Field): To obtain the correct value look in a sample SAML response for an email address value. Typically it is found in the nameId.Note: We've noticed examples where the sample response contained NameID but produced an "unable to verify user identity" error. This can sometimes be resolved by changing the Attribute value in Coursedog to be nameId.SAMLCoursedog also evaluates the URN value as well:
- User Property (Coursedog Field): Map the unique identifier value passed from your institution to a Coursedog field. The two options are to a unique email address, or InstitutionID.
- CAS Configuration: Now we will want to fill out each setting as follows for CAS.
Note: Coursedog referrer will be staging.coursedog.com/casArrival and app.coursedog.com/casArrival.
- Authentication Method: CAS
- CAS Server URL: URL for your CAS server (e.g. https://elbert.edu/cas)
- CAS Redirect URL: Where to send the user upon logout (e.g. https://elbert.edu/logout)
- CAS Protocol: Coursedog supports versions 2 and 3 (default is 3.0)
- Attribute (SAML Field):This is how Coursedog associates users between the system. It is used to map the fields returned from the CAS response to our internal fields. This is required for SSO to function.
- Attribute (School CAS Field): To obtain the correct value look in a sample SACASML response for an email address value. Typically it is found in the email
- User Property (Coursedog Field): Typically default to email, but can also be InstitutionID for V2. See example below:
Congrats! Once you are confident in the configuration it is time to begin testing. Make sure you have access to a user and your logs.
User Experience (Testing your configuration)
With SSO enabled the user types in their email address into the login page and is redirected to their own institution login page rather than asking them for their password.
We use the entered email address to determine which school they belong to and therefore where to redirect them. Once redirected, the user then logs in as usual on their standard institution login page:
Note: If you prefer to avoid having the user enter their email address before redirect then give your users a URL of the form: /login/<school id>
When users access the url they are redirected to the institution portal/login page rather than starting in Coursedog
When users log out of Coursedog, we can invoke a SAML logout (SLO), or redirect them to a page of their choice.