Overview
Once SSO is enabled, users and admins must be configured to use SAML for authentication.
Enable SAML for users
Once SSO is enabled, you can update the following details using the SAML token:
- Aptem login description
- Login description note
- Identity providers
Configuration options
You can modify these options using any of the following:
- Aptem User Interface: Manually enable SSO for each user.
- CSV Upload: Include these fields: Username, Email, SSO Enabled.
- API: Use Aptem’s API for bulk updates.
Method 1: Aptem User Interface
Navigate to the account programme, and click the SAML settings token.
Enable the “SAML” programme component in the account programme.
Choose your Identity Provider from the dropdown list. Or click the "Add more" button to create a new SAML login method. A tab with the given name will be created.
When the SAML component is enabled, an extra button will appear on Sign In page -
“Sign in using <Identity Provider Title>” under the standard “Sign in” widget. Clicking on this button leads to a redirect to the SAML authentication form, so registered users can sign in using their SAML account.
You can amend the Aptem login description and the Identity providers. You can also define who the SSO should be allowed for.
On the detailed SAML settings tab to the right, you can amend the Login description note.
- Login description - this text will be shown on the login page near the SAML button.
- IdP Sign on URL - this URL will be used to send AuthRequests to IdP.
- IdP Log out URL - this URL will be used to send LogoutRequests.
- IdP provider certificate - public IdP certificate to verify signatures on received messages from IdP.
User-level set up
Once the SSO is enabled, the provider can manually adjust/update the authentication type at the user level.
While creating Learners and Admins via UI, administrators should specify Authentication type, SAML Identity provider, and SAML unique id in the ‘Create user’ and ‘Create Admin’ form pages in Aptem Classic. This option is also available in the Learner details section in Console. This allows the users to authenticate to simple SAML and Azure AD accounts.
Method 2: CSV upload
To enable SSO via CSV upload via the Users Overview tile, click Upload Users, and ensure that you use the following fields in your CSV file:
- Username
- SSO Enabled
Method 3: Use Aptem’s API
You can also use the Aptem API to enable SAML and to set up the SSO login screen. You will have to include the following fields in the payload:
{
"authType": "SAML",
"idP": "Azure AD/Simple SAML",
"samlUserId": "student**"
}
SSO login screen
Depending on the Authentication type you select, users will see a different screen when they log in.
Notes
-
The SSO is not restricted to the provider organisation’s email. It can be enabled for students and admins with different emails.
-
SSO can be enabled for multiple organisations within the tenant ( e.g. consortium that has a lot of providers under their umbrella: Russel Group – Uni1, Uni2, Uni3. Russell Group is the tenant /main provider.)
-
Users with SSO cannot change their password within Aptem.
-
Multi-Factor Authentication (MFA) is incompatible with SSO. MFA will cease once SSO is enabled.