Direct LDAP SSO
Set Direct LDAP SSO so your users can log in using their LDAP credentials rather than their Schoology username and password. After completing these steps, users in your school may navigate to your custom domain (custom.schoology.com for example), where they will be directed to the custom LDAP login page. From here, users enter their LDAP credentials and log in to Schoology.
Step 1 — LDAP Settings
To set up LDAP SSO for users at your school, follow these steps:
- In your System Admin account, click Tools at the top of the page.
- Select School Management from the drop-down menu.
- Select Integration from the left menu of the School Management area.
- In the Authentication tab, select Cloud/On Premise Directory.
- Select LDAP.
Then, set your admin server credentials and connect your LDAP server:
- LDAP Server Address: Enter the external IP address of your LDAP server.
- Port: You can replace the pre-filled value with the port of your LDAP server if it doesn't use the default port.
- Directory User UPN and Password: Use the credentials of a user who has read access to your LDAP server.
- Base DN: Enter the root node in LDAP to search for users and groups.
Step 2 — Map Schoology to LDAP Attributes
Set up how you locate a user in LDAP and establish the link between Schoology and your LDAP service.
- You can map from Schoology to LDAP using one of three attributes – Username Attribute, User Email Attribute, or User Unique ID Attribute.
- Many fields are pre-populated with example values when you first open the LDAP Integration page. All attributes on which you're not matching to LDAP except Username RDN Attribute should be left blank.
Example Attribute Fields: Matching on Username
Example Attribute Fields: Matching on Email
Example Attribute Fields: Matching on User Unique ID
Attribute Field Descriptions
- Additional User DN: Pre-pended to the base DN to limit the scope when searching for users.
- Username RDN Attribute (Required): The attribute you are entering into the login screen to find the user.
- Username Attribute: If you are mapping on this attribute, it must match the equivalent field in Schoology, since this is the value with which you're establishing a link. In most cases, this area should be the same as the Username RDN Attribute.
- User First Name Attribute: Attribute used to send the user's first name to Schoology.
- User Last Name Attribute: Attribute used to send the user's last name to Schoology.
- User Email Attribute: Attribute used to send the user's email address to Schoology. If you are mapping on this attribute, it must match the equivalent field in Schoology, since this is the value with which you're establishing a link.
- User Unique ID Attribute: Attribute used to send the user's Unique ID to Schoology. If you are mapping on this attribute, it must match the equivalent field in Schoology, since this is the value with which you're establishing a link.
Note: If the values currently set in Schoology for each user's Unique ID are not set in LDAP – for example, users that were created and matched through a Student Information System – you should not use this value for mapping.
The Additional Group DN and Group Name Attribute fields are generally not required, but they can be used to further limit the scope when searching for users.
Step 3 — Test Login
Once you've successfully established the link to your LDAP server, use the Test Login feature to test the LDAP login. The LDAP user you test must be in both your LDAP and Schoology environments, and must be matched by Username, Email, or User Unique ID attributes.
Once you enter the credentials, a success or failure message displays; if you receive a test failed message, click on it for more information.
In the following example, the LDAP Server Connection was successfully established, but the login failed when trying to find the user in LDAP; the failure occurred because the username entered was not valid. This message most likely indicates that you have entered an incorrect Username RDN attribute or that the Username does not exist as an attribute in your LDAP server.
- LDAP User Lookup: Likely indicates that you have entered an incorrect Username RDN attribute or that the username does not exist as an attribute in your LDAP server.
- LDAP User Authentication failure: Likely indicates that the password for this user does not match the password in your LDAP server.
- Schoology User Identification: Depending on the attribute you are using to map, this message likely indicated that you have an incorrect username, email, or user unique ID in Schoology, or because you have values in other attributes and Schoology that are trying to match on all values, rather than just on the chosen attribute.
Step 4 — Change Your Landing Page
Once you've successfully established the link to your LDAP server and completed successful login tests, click Save Changes and click on the Custom Domain tab.
Here, you should see that your Domain Type has been set and and your Domain Alias has been changed to your school's custom subdomain. These are configured by working with your Schoology Implementation or Project Manager during your school's implementation process. If these fields are not configured in the Custom Domain tab, contact Schoology Support.
Change the Landing Page dropdown from Schoology Log In to LDAP Log In Page and click Save Changes. Changing the landing page is the important final step in enabling your LDAP SSO configuration. Once you click Save Changes, your users will be able to log in to Schoology using your custom domain and LDAP credentials.