SAML authentication can be used to establish a secure single sign-on (SSO) connection between Pearson Connexus and an external identity provider (IdP).
|Identity provider (IdP)||The IdP is used to identify users based on credentials. The IdP provides the login screen interface and presents information about the authenticated user to the SP after successful authentication.
Examples: Google Apps, ADFS, PowerSchool
|Metadata||Information about the SP or IdP is often referred to as the SP metadata or IdP metadata. This metadata should be provided as XML and is used by the SP and IdP to inform each one about the settings and URLs of the other.|
|Security Assertion Markup Language (SAML)||This is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an IdP and an SP.|
|Service provider (SP)||An SP is a website providing information and other tools to the authenticated user. For these instructions, Pearson Connexus is the SP.|
|Single sign-on (SSO)||This is an authentication service that permits a user to use one set of login credentials (e.g., username and password) to access multiple applications.|
How does SAML SSO work?
SAML in Pearson Connexus is initiated by a user. This is the basic process:
- The user selects Login from the login web page.
Note: Pearson Connexus only supports SP-initiated SSO.
- Pearson Connexus generates a SAML request and redirects the web page to the IdP.
- The IdP receives the SAML request and verifies the user. If the user is not already authenticated into the IdP, the user will be prompted to authenticate.
- IdP sends SAML response to Pearson Connexus and redirects the web page to Pearson Connexus.
Pearson Connexus requires the SAML response to contain the following attributes:
- NameId (must match the user's Pearson Connexus username)
- Pearson Connexus receives and verifies the SAML response.
- Pearson Connexus grants the user access.
How to Set Up SAML Authentication
To set up SAML authentication:
- Access the SP (Pearson Connexus) metadata file using the following URL (replace the bolded text with the userspace name):
- Go to the IdP and create a new SAML configuration. Each IdP is different for configuring and setting up a new SAML configuration. Users may need to consult an expert (or the internet).
- The IdP will then ask to either (a) enter, (b) upload, (c) copy and paste, or (d) provide the URL to the SP metadata (see step 1). If optional, enter the URL as it could dynamically pull the information into the IdP from the SP, reducing the need for future changes.
- Once configured and available in the IdP, download the IdP metadata file.
- Rename the downloaded IdP metadata file as
- Complete the SAML steps in this article (use the
idp-meta.xmlfile in step 3): How do I enable Single Sign-On (SSO) in Connexus EMS?
- Attempt to log in to Pearson Connexus using the new SAML integration.
Some IdPs do not allow their service to be loaded inside of another web page. If the IdP does not load (e.g., blank screen), the option to select Open in new window when configuring the SAML integration needs to be added when completing step 6.