1. Home
  2. Single Sign-on

Single Sign-on

Authentication Server/Identity Provider Setup
OnDataSuite uses SAML 2.0 to implement single sign-on. You can set it up using Active Directory Federation Services (AD FS), ClassLink, Azure, Google, or any other service that allows you to create single sign-on apps with SAML.

You can download the OnDataSuite metadata file using the links on the Administrator >> Site Settings >> Authentication Settings page under the SAML tab.

OnDataSuite SAML Configuration Values

OnDataSuite SAML configuration values:
Metadata URL/Entity Id: <your-ondatasuite-domain>/index.php/saml/metadata
Example: 999001.ondatasuite.com/index.php/saml/metadata

Assertion Consumer Endpoint: <your-ondatasuite-domain>/index.php/saml/acs
Example: 999001.ondatasuite.com/index.php/saml/acs

Logout Endpoint: <your-ondatasuite-domain>/index.php/saml/sls
Example: 999001.ondatasuite.com/index.php/saml/sls

The x509 certificate is included in the metadata

Required Claims/Attributes:
Name id: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
This value should be unique for every user and match the usernames of your OnDataSuite users.

User Accounts

Single sign-on only affects the login/logout process in OnDataSuite. User Accounts are still handled using the user administration tools in the admin section of OnDataSuite. The only difference is that passwords are no longer stored in OnDataSuite.

Some changes may need to be made to user accounts when switching over to single sign-on. When a user logs in, your authentication server will send a certificate to OnDataSuite that includes a name id attribute. The value sent as the name id attribute will need to match the user’s username, so OnDataSuite knows who is logging in.

You can use the Administration >> User Administration >> User Access Upload page to batch update and create users. The template will include all your current user information. The template can be downloaded at any time, but you must switch your authentication settings to SAML before you can upload the file.

Configure Single Sign-On

Create an admin user account
Before changing the authentication settings, create a user account with the username <district_number>_admin. (ex. 999001_admin). This user should have ODS Administrator privileges. This account will be able to bypass single sign-on to troubleshoot single sign-on issues.

Change the Authentication Settings
Go to Administrator >> Site Settings >> Authentication Settings and click on the SAML Tab. You can either import the settings from your server’s metadata file or fill out the form manually. When the form is filled out, click Save.

Single Logout
Single logout is optional. This feature will log you out of your identity provider when you log out of OnDataSuite. To use this feature, check “Enable Single Logout” and fill in the single logout url in the form input that appears.

In Authentication Settings, select SAML SSO, Import your metadata to auto-fill the form, fill in missing values, then click Save.

Test the Configuration

Test the configuration
Go to the Administrator >> Site Settings >> Test SAML Configuration page. (This page will not be available before you change your authentication settings).

  1. Click “Test” to start the test. You may want to run this test in a different browser or a private browser so you don’t get logged out of your accounts.
  2. You will be redirected to the single sign-on URL. This should be the sign in page for your identity provider. After you sign in you will be redirected back to OnDataSuite.
  3. If single logout is enabled, You will be redirected back to the single logout URL and logged out. You should then be redirected back to OnDataSuite.
  4. When the test is finished, you will see a message with the results of the test.

A successful test shows the signed in user data. A failed test shows the error message with suggestion on how to fix it.

Signing In

Sign In

You will see a new sign in page when you go to OnDataSuite. Users will click the Sign In button and be asked to sign-in to your authentication server. The new admin account you created will click the “Log in as admin” link and see username and password fields to sign in with. No other accounts will be able to log in with username and password.

Click the Log in as admin button to log in with the <district_number>_admin account.
Updated on 11/05/2021

Was this article helpful?