Single Sign On FAQ
Here are answers to the most common questions we get regarding Single Sign On.
Do you automatically provision users and classes?
We do not automatically provision users or classes through Single Sign On. We'll map all your existing Education Perfect accounts (so no one will lose any progress) to the identifier sent by your Identity Provider as part of our setup processes. New accounts and classes can be created in the same way you've done so before- either through the Manage Users screen or by sending us an export of data to set up for you.
Which encryption algorithm do you support?
We support SHA-256
Why am I getting a '500 internal server error' when trying to log in?
This error will be displayed by our SSO server if it receives an unexpected message from your identity provider, and is often seen during the setup process. We will only be given a generic error message in our server logs ("An error SAML response status was received.") Please check if you have a more detailed error log on your server and send this through to us if none of the below causes apply.
The most common causes of this are:
- Your setup still being in progress on our side- once you have set things up on your side we need to process the metadata and test accounts you've sent through and this may take a few days depending on how many requests we are dealing with at the time.
- You have the incorrect encryption algorithm- please ensure you're using SHA-256
- There is a missing, or miss-configured, claims transformation- see specific instructions for your platform.
- You are trying to log in with an account that is set up differently from the rest of your accounts. We ask that the student and teacher credentials you send us for testing follow the conventions of your live accounts to ensure that we receive values that are consistent with what your actual users will provide us for all fields.
- You may be using an outdated version of our metadata- please ensure you have the most up-to-date version.
Why am I getting a permission needed/ app not configured error from my identity provider?
Once you add the Education Perfect app into your identity provider, most will then require you to enable it/ give users permission to access it. Depending on your setup and how you want to integrate with Education Perfect, this can usually be done at three levels: global (all users), specific user groups or individual accounts.
An example of the error message from Google:
Make sure all accounts that may wish to log into Education Perfect have been given access- including your staff.
Please also ensure that the student and teacher test accounts you create as part of the setup process will have access- missing them is a common cause of delay in the setup process.
If this message is coming up on users personal or home devices, but not when logging in at school this may be because they're already logged in with their personal account and Google is trying to authenticate with that- logging out of other Google accounts or using an incognito tab should resolve this.
Why am I getting a 'User not found' error?
This error message may appear after you have tried to log in using SSO and put your details into your schools login window. There will be an sso.educationperfect.com or authentication.educationperfect.com URL in your browser.
The most common causes of this error are:
- We haven't finished setting everything up yet. Once we receive all the data we need to finalise an SSO setup we still need to provision your users by ensuring we have added the correct identifier to all your accounts. This can take a few days, and we'll let the person we've communicating with regarding the setup know once we're finished.
- This users doesn't have an account on Education Perfect - as we don't automatically provision accounts you'll need to either create an account or, if you haven't done so already, send us your class lists. Please note - though we ask for a test accounts as part of the setup process, we do not normally create accounts for these on Education Perfect as part of the setup process.
- The account is set up in Education Perfect, but it does not have the correct Identifier associated with it. You can find and update the user in Manage Accounts- the "SSO Identifier" given in the error message is the value that is required in the "Single Sign On (SSO) ID" field on their account.If you have a lot of accounts that need updated, consider sending us a list of updates and we can process these for you.
- The account isn't set up correctly on your identity provider. If there is no identifier listed for the account it may be because the account does not have an email address or student ID value on your end when we were expecting this.
- There is a missing, or misconfigured, claims transformation/ Name ID value- see specific instructions for your platform.
- If using Google Suite, users will need to be signed into their school-affiliated Google account in order to be able to log in via SSO(or at the least, not signed into a different Google account.)
How long does the setup process take?
It will usually take a few business days to set up your school once we receive all the data needed, but this will depend on how many schools are ahead of you in the queue.
To ensure we can process your request as fast as possible please ensure you have set everything up in your Provider:
- Our metadata has been added
- The SHA-256 encryption algorithm was selected
- Your users/ user groups have the permissions/ access to the Education Perfect app
- Any required claims transformations have been configured
And that you have given us everything we need to set things up:
- A copy of your Metadata XML or the URL to find this
- Test accounts for a student and teacher- both with permission to access the Education Perfect app, and following the conventions of your live accounts
Why do you require test accounts as part of the setup process?
In order to provision your existing accounts and complete the setup process we need to do a test login to confirm a) everything is set up correctly and b) which value is being passed through by your identity provider as the NameID field for matching.
These test accounts only need to be able to log in and access the Education Perfect app you added- please ensure they do not have access to any sensitive areas of your system.
If you are not able to provide us with test accounts (eg for privacy reasons) please let us know during the setup process- we will still be able to set your school up, but we may need to ask you to do the testing for us which will slow the process a little.
My Identity Provider is not listed in your documentation, is it supported?
We have step-by-step instructions for the most popular Identity Providers used by our schools, but we support the SAML2 standard so we will be compatible with any Identity Provider that implements this. Please be aware we will not be able to offer the same level of help during the setup process than we can for Identity Providers we are more familiar with - you can find our generic instructions here.
Do we need to let you know when our certificate is going to expire?
We do not automatically update your school's metadata after the initial configuration, so you will need to get in touch with us when the certificate is going to expire. Please let us know the date we should switch to the new metadata, and provide us a copy of this as soon as you are able to.
We can only have one certificate in use at a time for each school on our side, so there may be some brief downtime between when the new certificate becomes active on your side and when the updated metadata comes into effect on ours, or vice-versa. If your system supports having overlapping certificates let us know- we should be able to switch the metadata during this window without disruption.
Please note there is always a chance of configuration issues during a change-over so we recommend warning your users of this.