Accudemia: How do I enable SAML SSO (Single Sign-On) for my account?

Introduction

This article will show you how you can authenticate users using the SAML protocols for SSO (Single Sign-On). It simplifies password management, increases security, and allows students to log into Accudemia from a unique college portal, rather than using the standard Accudemia webpage/URL (similar to https://<mycollege>.accudemia.net). This article will explain how to accomplish this task.

Important! Previous knowledge of how an IDP (Identity Provider) system (MS Azure, ADFS, Shibboleth, etc.) will be helpful when using the steps outlined in this article.

Step-by-Step

1. Configuring your IDP for using SAML protocols

Note: To configure an Identity Provider (IDP), the Accudemia SAML Metadata is required from your Accudemia account. It can be found using the following example link but replacing <your-domain> in the URL:

https://<your-domain>. accudemia.net/saml/metadata.aspx

      1. Copy all the metadata from the previous link, then paste it into the IDP where prompted and the system should place the Entity ID and other required fields in the system as needed. For help with some popular apps refer to these links:

1. Microsoft Azure: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/migrate-adfs-saml-based-sso
   
2. Shibboleth SSO: https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199505973/SAMLAuthnConfiguration
   
3. Instructure Canvas IDP: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Canvas-LMS.html

      2. Set the IDP up to send the matching Primary User ID (typically a formatted ID number) or Alternate/Secondary User ID (typically unformatted like an Email or a part of it and is uploaded in Accudemia specifically for SSO purposes) as the data being sent over in the NameID field under the Subject tag.

Note: It's important to note that the NameID doesn't have an attribute, but the tag that's defined under the Subject node/tag in the XML does.

      The SAML authentication request should appear in a numbered sequence with the code in the following image.

1. <saml:Subject>
   
2.      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">111-11-1111</saml:NameID>
   
3.      ...
   
4. </saml:Subject>
   

      Configuring the NameID claims rule using Active Directory Federation Services (ADFS)

      This process is similar to MS Azure and other systems.  These steps are what to follow to send the NameID in the Subject tag:

      1. Go to AD FS Management and navigate to Trust Relationships > Claims Provider Trusts, then right-click on the provider and select  Edit Claim Rules.

      

      2. Click the Add Rule button, and add the "employee number" and "Name ID to Name ID" rules.

      

      3. Send the LDAP attribute as a claim by creating a rule of type "Send LDAP Attributes as Claims."

      Set the desired attribute to authenticate from the AD. For example, the Employee Number.

      

      4. Create "Transform an Incoming Claim" as a second rule.

      5. Finally, transform the NameID to the Subject as a third rule.

      

      For more information watch the following instructional video or read through the appropriate documentation:

1. Configuring Claims Provider and Relying Party Trusts in Windows Server 2012
   
2. Microsoft Learn - Customize SAML token claims
   
3. Shibboleth - CustomNameIDGenerationConfiguration: Dealing with "Unspecified"
   

---

2. Configuring Accudemia for SSO

1. Log into Accudemia.

2. Go to Administration > Control Panel from the main menu and select the User Accounts section on the Control Panel screen. (Select the "college-level" when prompted in the pop-up).

3. Scroll down to the SAML Single Sign-On section or click on the left-side navigation to go down the page, and you can enable SSO by checking the box labeled "Enable SAML SSO."

NOTE: We will need at least 3 things from the IDP's (Identity Provider's) metadata file.

1. Sign-in URL (your IDP's entity ID from metadata)
   
2. Public Certificate
   
3. Logout URL
   

Providing this information is how Accudemia knows where the users will be coming from and directed after they log out of our system, with the security of the IDP's certificate matching what we have on record. Optionally, you can provide an error page (set on your IDP) that could send users having difficulty logging in from your system.

If the Primary User ID cannot be used to identify your users easily, we allow you to enable an Alternate/Secondary User ID to authenticate the users being sent over to Accudemia. Keep in mind that this Alternate/Secondary ID must also be included in the data uploaded into that field in Accudemia.

4. Save this information by scrolling back to the top of the screen and clicking the Save Changes button.

3. Test to make sure it works.

Simply go to your normal Accudemia website (similar to https://<mycollege>.accudemia.net) to see if it sends the students to the school's portal, attempt to log in with a student's credentials, and if you can get in as a student then you're done!

---

For any further questions regarding this feature, please contact the support team at support@accudemia.com or Submit a Ticket.

• Related Articles

• Accudemia: How do I enable SAML SSO (Single Sign-On) for my account?

  For the Updated Version of Accudemia 10.0 Click the link below: https://engineerica.zohodesk.com/portal/en/kb/articles/accudemia-how-do-i-enable-saml-sso-single-sign-on-for-my-account This new feature to authenticate users using the SAML protocols ...

• AccuCampus: How to set up SAML SSO authentication?

  Introduction This feature authenticates users using the SAML protocols for SSO. It simplifies password management, increases security, and allows students to log into AccuCampus from a unique college portal, rather than a separate webpage/URL. This ...

• Accudemia: How do I bypass SSO to log in directly?

  Introduction Accudemia can be set up to utilize a Single-Sign-On (SSO) system using Security Authentication Markup Language (SAML). This is a tool that allows users to only require one set of login information across an entire system. SSO will ...

• Single Sign-On Requirements for AccuCampus

  Introduction The aim of this document is to explain how to integrate your own site or portal with AccuCampus. It also includes usage examples so you can get started faster. This alternative access method would allow you to integrate AccuCampus into ...

• Accudemia: How can I sign into the Accudemia app through Single Sign-On?

  Introduction In this guide, we'll explain how you can login to the Accudemia app without using a username or password for Accudemia, but instead using your SSO credentials. Please note that this requires a logging through a browser on another device ...