This article details how to configure G-suite for use with Education Perfect's Single Sign-On (SSO) system.
The SSO setup process
Adding SAML App to G-Suite
- From the G-Suite Admin console Home page, go to Apps and then SAML apps. (To see Apps on the Home page, you might have to click More controls at the bottom.)
- Click the plus (+) icon in the bottom corner.
- On the Enable SSO For SAML Application screen, select Setup my own custom app.
- On the Google IdP Information screen, under Option 2, click the Download button next to IDP metadata. This will download a metadata file which you will need to send to us to configure SSO for your school. Click Next
- On the Basic information for your Custom App page for Application Name enter "Education Perfect". If you would like to include an image you can download a copy of our logo from this link. Click Next
- On the Service Provider Details screen, enter the following:
- ACS URL: https://sso.educationperfect.com/sso/saml2
- Entity ID: https://sso.educationperfect.com
- Start URL: https://www.educationperfect.com/app/#/dashboard
- Signed Response: Leave unchecked.
- Name ID: Basic Information, Primary Email.
- Name ID Format: PERSISTENT.
- Click Next
- On the Attribute Mapping screen, click Finish
- You should now see Education Perfect in the list of SAML apps, but it will not be enabled. Click on the newly set up app then Edit Service and then turn it on for everyone (as below) or for specific organisational units as appropriate, and click Save. As noted, it may take up to 24 hours for this change to take effect for all users.If you do not turn the Education Perfect app on for your users they will see the following error message when trying to log into Education Perfect:
- Please send the following to firstname.lastname@example.org so we can complete the set up:
- The IDP metadata file you downloaded
- G-Suite credentials (username and password) for a test student and test teacher account so that we can check the integration is working. Please ensure that these credentials match the conventions in place for your other users - this includes roles and group membership as applicable in your system.
- Please note, that users will need to be signed into their school-affiliated Google account in order to be able to log in via SSO(or at the least, not signed into a different Google account)
Match existing users to their G-Suite accounts
If your students have already been using Education Perfect without a G-Suite integration, their EP accounts will need to be linked to the unique identifier G-Suite uses to confirm their identity. The above settings will make this their email address, but we use the test accounts to confirm everything is configured correctly.
If we already have the unique identifier associated with teachers' and students' accounts, for example because it's their email addresses, we'll match up everyone we can on your behalf. We will then send you a list of anyone we couldn't match. Once you send us the details for those people, we'll update them as well.
Please note that until we have completed this step users will get an error if they attempt to log into Education Perfect via G-Suite. Users need to be logged in to their school-affiliated google account in order to be able to log in through Single Sign On
This error generally means something is wrong with the configuration and may require support from Google directly. However it may be worth checking that your SAML certificate has not expired first.