Single Sign On (SSO) FAQ
Here are answers to the most common questions we get regarding Single Sign On.
Do you automatically provision users and classes?
We do not automatically provision users or classes through Single Sign On. We'll map all your existing Education Perfect accounts (so no one will lose any progress) to the identifier sent by your Identity Provider as part of our setup processes. New accounts and classes can be created in the same way you've done so before- either through the Manage Users screen or by sending us an export of data to set up for you.
Which encryption algorithm do you support?
We support SHA-256 only.
Why am I getting a permission needed/ app not configured error from my identity provider?
Once you add the Education Perfect app into your identity provider, most will then require you to enable it/ give users permission to access it. Depending on your setup and how you want to integrate with Education Perfect, this can usually be done at three levels: global (all users), specific user groups or individual accounts.
An example of the error message from Google:
Make sure all accounts that may wish to log into Education Perfect have been given access- including your staff.
Please also ensure that the test student account you create as part of the setup process will have access - missing them is a common cause of delay in the setup process.
If this message is coming up on users personal or home devices, but not when logging in at school this may be because they're already logged in with their personal account and Google is trying to authenticate with that - logging out of other Google accounts or using an incognito tab should resolve this.
How long does the setup process take?
It will usually take a few business days to set up your school once we receive all the data needed, but this will depend on how many schools are ahead of you in the queue.
To ensure we can process your request as fast as possible please ensure you have set everything up in your provider:
- The SHA-256 encryption algorithm was selected
- Your users/ user groups have the permissions/ access to the Education Perfect app
- Any required claims transformations have been configured
And that you have given us everything we need to set things up:
- A copy of your Metadata XML or the URL to find this
- Test account for a student with permission to access the Education Perfect app, and following the conventions of your live accounts
- We will then send back school specific Metadata for you to enter at your end.
Why do you require a test account as part of the setup process?
In order to provision your existing accounts and complete the setup process we need to do a test login to confirm a) everything is set up correctly and b) which value is being passed through by your identity provider as the NameID field for matching.
This test account only needs to be able to log in and access the Education Perfect app you added- please ensure they do not have access to any sensitive areas of your system.
If you are not able to provide us with a test account (eg for privacy reasons) please let us know during the setup process- we will still be able to set your school up, but we may need to ask you to do the testing for us which will slow the process a little.
My Identity Provider is not listed in your documentation, is it supported?
We have step-by-step instructions for the most popular Identity Providers used by our schools, but we support the SAML2 standard so we will be compatible with any Identity Provider that implements this. Please be aware we will not be able to offer the same level of help during the setup process as we can for Identity Providers we are more familiar with - you can find our generic instructions here.
Do we need to let you know when our certificate is going to expire?
We do not automatically update your school's metadata after the initial configuration, so you will need to get in touch with us when the certificate is going to expire. Please let us know the date we should switch to the new metadata, and provide us with a copy (metadata XML or URL, not .cer or .pem as we cannot process these) of this as soon as you are able to.
We can only have one certificate in use at a time for each school on our side, so there may be some brief downtime between when the new certificate becomes active on your side and when the updated metadata comes into effect on ours, or vice-versa. If your system supports having overlapping certificates let us know - we should be able to switch the metadata during this window without disruption.
Please note there is always a chance of configuration issues during a change-over so we recommend warning your users of this.