Single Sign-On (SSO) Documentation

Last updated August 2021

Available on the Plus or Enterprise Plan

Contents

 

Single sign-on (SSO) allows EdApp to identify users through an external Identity Provider, or IDP.

Instead of registering on the app through an invite code or invitation email, users are directed to their company identity portal, fill in their company login details, and are redirected back to EdApp. This enables a user to log in to multiple systems via a single portal. On EdApp's side a user is internally created to match the user's details sent back from the IDP.

Providers

We provide support for SAML 2.0 based SSO integrations. This includes:

- Active Directory

- Okta

- OneLogin

- Salesforce

- Auth0

- Ping Identity

- All other systems that use SAML 2.0.

Set Up

SSO can be set up via our LMS (admin.edapp.com) with the ‘Single Sign-On’ button in the top right.

Once you have a SAML IDP setup you can fill in the relevant details on this page which will enable SSO for your users.

If you prefer to utilise domain recognition rather than Business ID, please reach out to your account manager with the email domain you wish to set up.

Company ID

The ‘Company ID’ field is used to link your EdApp account to your specific IDP. Firstly it is used by your learners at the login page so it is important to choose a company id that is easy to remember for your learners.
Secondly it is used to identify your account in EdApp when your IDP calls our API to athenticate the user. The ACS (Reply) URL field in your IDP specifies the endpoint in EdApp. The format in your IDP is - https://api.edapp.com/sso-saml-callback/{COMPANY-ID}

For example, if your company ID in EdApp is ‘mycompany’ your ACS (Reply) URL in your IDP would be - https://api.edapp.com/sso-saml-callback/mycompany

SSO URL

This URL will be available in your IDP under the ‘Login URL’ field.

SAML Entity ID

Your entity ID must match the entity ID for this configuration in your IDP. For example, you can use – https://admin.edapp.com

SAML Certificate file

Depending on your IDP you may need to add a certificate file for your SSO to function. This should be provided by your IDP. Consider adding a certificate file even if your IDP doesn’t enforce it to enhance the security of your application.

Security

We support 2-way authentication certificates to provide an additional layer of security.

A certificate can be uploaded to ensure that only users authenticated by your portals private key can gain access to the EdApp platform.

A second certificate allows your platform to authenticate EdApp when we call your Identity Provider. This guarantees the security of your IDP.

User Synchronization

Users are created in EdApp as soon as they log in to our system using SSO. In the event you wish to create the users in EdApp before they log in with SSO, that can be done through our LMS and with our public API. If a user exists in the system with the same email address as the user signing in through SSO, EdApp will treat them as the same user.

In the event an SSO user needs to be deleted from the EdApp system, this can also be handled through or LMS and through our public API.

Additional Features

SSO integrates seamlessly with EdApp’s Dynamic User Groups feature. Data can be passed from your IDP to EdApp’s system including job title, location, department, and starting date. This information can then be mapped to an EdApp Dynamic User Group which automatically groups your users as soon as they log in to the system!

The way this works is with "Claims" in your IDP and "Custom fields" in EdApp. Every claim you specify is automatically mapped to a "Custom field" in EdApp. For this to work the name of the claim needs to match the custom field name. It is important to leave the "namespace" field in your IDP empty.

Below is an example in Azure AD for a claim that populates the jobtitle field.

The next step is to create the custom field in EdApp via the admin portal.
https://admin.edapp.com/app-settings#panel-user-custom-fields
In the admin portal this would look like this, the fieldname is the one that is matched with the claim. Be sure that they are exactly the same.

Single Log Out

In EdApp we support single logout where the user is logged out of EdApp automatically when their session in the IDP expires. In your IDP the logout URL should be like: