SAML Single Sign-On (SSO) Setup and Configuration
To complete SAML SSO setup:
Step 1 — In your System Admin account, click Tools at the top of the page.
Step 2 — Select School Management from the drop-down menu.
Step 3 — Click the Authentication tab.
Step 4 — Click Cloud/On Premise Directory.
Step 5 — Select SAML.
Step 6 — Fill in the fields in the SAML Settings area.
- ID Attribute: Enter the SAML attribute used to identify the Schoology account. Leave blank to use Name ID as the attribute.
- Match ID to Schoology Account Using: SAML requires matching an attribute from the SAML Server (IdP) to the Schoology attribute you select in this menu. Common SAML attributes include mail, sAMAccountName, or UserID. Depending on the configuration of your IdP, attribute names may be sent as URNs, such as urn:oid:18.104.22.168.4.1.14519.1.1. Select the field in Schoology you will match to the SAML ID attribute:
- Unique ID
- Error URL: Enter the URL to which to direct users if an error occurs. If left blank, a Schoology-generated error page will be used.
- Metadata URL: Enter your SAML Identity Provider (IdP) Metadata URL.
- If using ADFS as a SAML IdP, you would enter https://[ADFS Server Host]/FederationMetadata/2007-06/FederationMetadata.xml.
- After entering the Metadata URL, click the Fill Fields Below from Metadata URL button that displays to automatically fill in the rest of the fields. Optional: You may also fill in the Login URL, Logout URL, X.509 Certificate fields manually.
Note: If using a custom subdomain or custom domain, the SP Metadata URL should contain the custom domain. If you go to Schoology without using the custom domain, the metadata URL listed on the config page will be incorrect (as it will not contain the custom domain).
Step 7 — Determine your logout strategy.
In the Logout Type menu, select:
- Standard: For standard logout, users are directed to the page specified in the Logout URL field after logout. (For example, the homepage for a district or college.)
Note: When users log out of Schoology, they may still be logged into the SAML server until they close the browser window. This means that when they navigate back to the account's domain or custom subdomain, they're still logged into Schoology. Many SAML providers have an option that allows the user to log out completely after logging out of Schoology. For example, if you're using ADFS, you would select Standard in the Logout Type menu and in the Logout URL field enter https://[ADFS Server Host]/adfs/ls/IdpInitiatedSignon.aspx.
- SLO: Select for SAML Single Logout – that is, users are logged out of all logged in SAML services. SLO must be configured on your IdP to use this option. Enter the SLO endpoint in the Logout URL field. or example, For ADFS, the SLO endpoint is typically https://[ADFS Server Host]/adfs/ls/?wa=wsignout1.0.
- X.509 Certificate: Paste the token-signing certificate for the SSO request here. Make sure this matches the current certificate in your metadata.
Step 8 — Click Save Changes to complete.
Step 9 — If you are using a custom domain or subdomain, toggle into the Custom Domain tab. Change the Landing Page field to your custom domain or subdomain. This step must be completed so that navigating to your custom domain or subdomain will automatically kick off the SAML workflow.
You're done! You can now test the SAML login workflow by going to https://[Custom Domain]/login/saml.
Best Practice: To prevent students and teachers from logging in outside of your Custom Domain or Subdomain, System Administrators can enable the permission for specific roles to Ensure user logs in using external authentication provider.
Note: You can use the SP Metadata URL listed at the top of the page to configure the Schoology metadata in your SAML IdP. This URL will not contain metadata until you have fully configured the SAML integration in Schoology and saved your settings.