LDAP (Enterprise)

Direct LDAP SSO

Set Direct LDAP SSO so your users can log in using their LDAP credentials rather than their Schoology username and password. After completing these steps, users in your school may navigate to your custom domain (custom.schoology.com for example), where they will be directed to the custom LDAP login page. From here, users enter their LDAP credentials and log in to Schoology.

Make sure to configure the school firewall to accept connections to your LDAP server from our IP addresses.

LDAP Settings

To set up LDAP SSO for users at your school, follow these steps:

1. Click Tools in the header, then choose School Management from the drop-down menu.
2. Select Integration from the School Management navigation menu.
3. In the Authentication tab, select Cloud/On-Premise Directory.
4. Select the LDAP option.

Set your admin server credentials and connect your LDAP server.

• LDAP Server Address: Enter the external IP address of your LDAP server.
• Port: You can replace the pre-filled value with the port of your LDAP server if it doesn't use the default port.
• Directory User UPN and Password: Use the credentials of a user who has read access to your LDAP server.
• Base DN: Enter the root node in LDAP to search for users and groups.

Map Schoology to LDAP Attributes

Set up how you locate a user in LDAP and establish the link between Schoology and your LDAP service.

You can map from Schoology to LDAP using one of three attributes – Username Attribute, User Email Attribute, or User Unique ID Attribute.

Many fields are pre-populated with example values when you first open the LDAP Integration page. All attributes on which you're not matching to LDAP except Username RDN Attribute should be left blank.

While the Enable Account Creation option is supported for existing customers, Schoology strongly advises new Enterprise organizations to create user accounts through an SIS. Your organization's SIS should be the system of record for student data, rather than an LDAP server. Therefore, we recommend that you provision from the central source of truth to ensure your Schoology instance is populated with an up-to-date and accurate data set.

Attribute Field Descriptions

• Additional User DN: Pre-pended to the base DN to limit the scope when searching for users.
• Username RDN Attribute (Required): The attribute you are entering into the login screen to find the user.
• Username Attribute: If you are mapping on this attribute, it must match the equivalent field in Schoology, since this is the value with which you're establishing a link. In most cases, this area should be the same as the Username RDN Attribute.
• User First Name Attribute: Attribute used to send the user's first name to Schoology.
• User Last Name Attribute: Attribute used to send the user's last name to Schoology.
• User Email Attribute: Attribute used to send the user's email address to Schoology. If you are mapping on this attribute, it must match the equivalent field in Schoology, since this is the value with which you're establishing a link.

• User Unique ID Attribute: Attribute used to send the user's Unique ID to Schoology. If you are mapping on this attribute, it must match the equivalent field in Schoology, since this is the value with which you're establishing a link.

The Additional Group DN and Group Name Attribute fields are generally not required, but they can be used to further limit the scope when searching for users.

If the values currently set in Schoology for each user's Unique ID are not set in LDAP – for example, users that were created and matched through a Student Information System – you should not use this value for mapping.

Test Login

Once you've successfully established the link to your LDAP server, use the Test Login feature to test the LDAP login. The LDAP user you test must be in both your LDAP and Schoology environments and must be matched by Username, Email, or User Unique ID attributes.

Once you enter the credentials, success or failure message displays; if you receive a test failed message, click on it for more information.

In the following example, the LDAP Server Connection was successfully established, but the login failed when trying to find the user in LDAP; the failure occurred because the username entered was not valid. This message most likely indicates that you have entered an incorrect Username RDN attribute or that the Username does not exist as an attribute in your LDAP server.

• LDAP User Lookup: Likely indicates that you have entered an incorrect Username RDN attribute or that the username does not exist as an attribute in your LDAP server.
• LDAP User Authentication failure: Likely indicates that the password for this user does not match the password in your LDAP server.
• Schoology User Identification: Depending on the attribute you are using to map, this message likely indicated that you have an incorrect username, email, or user unique ID in Schoology, or because you have values in other attributes and Schoology that are trying to match on all values, rather than just on the chosen attribute.

Change Your Landing Page

Once you have successfully established the link to your LDAP server and completed successful login tests, click Save Changes and click on the Custom Domain tab.

Here, you should see that your Domain Type has been set and your Domain Alias has been changed to your school's custom subdomain. These are configured by working with your Schoology representative or the Schoology Onboarding team during your school's implementation process. If these fields are not configured in the Custom Domain tab, contact Schoology Support.

On the Landing Page menu, select LDAP Log In Page and click Save Changes. Changing the landing page is the important final step in enabling your LDAP SSO configuration. Once you click Save Changes, your users will be able to log in to Schoology using your custom domain and LDAP credentials.

To prevent students and teachers from logging in outside of your Custom Domain or Subdomain, System Administrators can enable permission to ensure user logs in using an external authentication provider.