This article explains how to configure a custom SAML (Security Assertion Markup Language) application in Google so your users can authenticate into Pearson Connexus with their Google credentials.
Many of the following steps are modified from the provided Google directions found at Set up your own custom SAML application. If any of them are out of date, refer to the Google article.
Requirements:
- Your institution must have a G Suite account.
- For a user to authenticate using Google SSO, their username in Pearson Connexus must match their G Suite email address.
Set up your own SAML app for Pearson
- Sign in to your Google Admin console.
- From the Admin console Home page, open Apps.
- Open Web and mobile apps.
- Select the Add app dropdown, then select Add custom SAML app.
- Enter the App Name (Pearson Connexus).
- Download the IDP metadata. You will use this when configuring Pearson Connexus.
- In the Service Provider Details window, add an ACS URL, an Entity ID, and a Start URL. Use the following URLS (this information can also be found at (https://dlap.gradpoint.com/SAML/USERSPACE/metadata.xml):
- ACS (AssertionConsumerService) URL: https://dlap.gradpoint.com/SAML/USERSPACE/Consumer
- Entity ID: https://dlap.gradpoint.com/SAML/USERSPACE
- Start URL: https://USERSPACE.lms.pearsonconnexus.com/home
Note: Replace “USERSPACE” with your domain’s userspace wherever it appears.
Leave Signed response unchecked.
8. If you want to attach additional information to app (e.g., names, email, titles, etc):
-
-
- Select Add mapping.
- Open the Google directory attributes dropdown, then select the desired attribute for what you want to add.
- Provide the information in the App attributes
-
9. Select Finish.
Note: You can define a maximum of 1500 attributes over all apps. Because each app has one default attribute, the total amount includes the default attribute plus any custom attributes you add. In the Basic Application Information window, add an application name (e.g., Pearson Connexus) and description.
Google shows you a summary of the SAML configuration. From this screen you can make changes, including turning the app on or off for everyone.
Local-only email Name ID support
Pearson Connexus SAML SSO supports email address Name ID when the Pearson Connexus username is used as the local-part of the associated email address (everything before the@ symbol).
For example, if a SAML authentication request comes through with a Name ID format of an email address (nameid-format:emailAddress), then Pearson Connexus will look for the user with the full email address as a Pearson Connexus username (e.g.,john.student@example.com).
- If the user is found, they are allowed to access Pearson Connexus.
- If Pearson Connexus is unable to find the user by the full email address, then Pearson Connexus searches for a user with the local-part (everything before the @) of the email address (e.g.,john.student). If a user is found with the local-part, the user is allowed to access Pearson Connexus.
- If no user is found by the full email address nor the local-part, then Pearson Connexus will tell the user that no matching user can be found.
To take advantage of this feature with Google SSO authentication, you may need to update your Service provider details in the Google SAML app settings to use the EMAIL as the Name ID.
Turn On SSO to your New SAML App
- Sign in to your Google Admin console.
- From the Admin console Home page, select Apps.
- Open Web and mobile apps.
- Select your new SAML app.
- Select the User access card.
- The top-level organization and any organizational units appear on the left. Ensure your user account email IDs match those in the domain for your Google service (e.g., studentname@school.com).
- Select ON for everyone to enable SSO for the listed organizations.
- Select Save.
Note: Once enabled, some users will be able to attempt to authenticate into Pearson Connexus with their Google credentials. However, they will not successfully be able to do so until you have configured Pearson Connexus to use the Google SSO in the following section.
Configure Pearson Connexus to use Google SSO
- Go to the Admin app in Pearson Connexus for the USERSPACE you configured in Google.
- Open the vertical menu in the toolbar of Domain Details and select Domain Settings.
- From the Authentication card, select SAML as your authentication Type. Do not choose the old version of SAML.
- Select Add identity provider (IdP).
- Provide the Login prompt. This is what appears on the login button. If you have only one IdP, this defaults to Login, if you have more, you can label them appropriately.
- Upload the idp-meta XML file that you downloaded from Google.
- The Metadata resource path and Provider ID are automatically populated.
- Select Done.
- Provide a Logout redirect URL if you want users to be taken to somewhere other than the Pearson Connexus login screen when they sign out.
- Indicate if you want to Prevent users from using Pearson Connexus credentials. If you don't select this, you have the option to Allow users to create their own accounts rather than requiring they be created for them. You will also be able to set up your password policy.
- Select Save.