Azure AD Configuration (SHA-256)
This article provides information on how to configure your Azure Active Directory instance for use with Education Perfect's Single Sign-On (SSO) system.
Setup in Azure
Please note that you will require the Global Administrator role to be able to complete this set up
- Visit the Azure portal
- Click Azure Active Directory under Azure Services
- Click Enterprise Applications
- Click New Application
Due to changes in the website, you may need to click to enable the legacy App search to find this page
- Click Non-gallery application
- Put Education Perfect in the name field and click Add.
- Click 2. Set up single sign on -> Get Started
- Click SAML
- Click the Icon next to the App Federation MetaData Url and send this link, along with the details for a test account to email@example.com
With this information we will set things up on our side and should get back to you within a week with the information required for the next steps.
Once you have received a reply from us, go back into the application where you were before and make the following changes:
- Edit the first box Basic SAML Configuration
Fill in the first two fields:
- Identifier (Entity ID): Issuer as provided by us (please note that this value is unable to be supplied until we have loaded your metadata previously!)
- Reply URL (Assertion Consumer Service URL):
World wide: https://iam.educationperfect.com/samlv2/acs
Canada: Will be provided with Identifier above
- Edit the second box User Attributes and Claims. Click to Edit Unique User Identifier (Name ID)
- Click Choose name identifier format and ensure it is set to Email address in the drop down.
- Source Attribute should be user.mail
- Save and exit. Please note that attempting to test the integration at this time will not work.
- Click the following error if it shows up:
Allow user access to the newly created SAML Application:
Click Properties on the left hand side bar
Set Assignment required to No
- Email us and lets us know that this step has been completed, once we received confirmation, we will finalize the connection and commence testing.
Alternatively if you wish to have finer grained control on who can access this application, you can define access by groups rather than by all as shown above.
Go to the Users and Groups menu and add the users, groups and/or roles that will be logging into Education Perfect by SSO.
We recommend adding all users: such as your All Staff group, All Student groups and any test accounts!
Please note that any users that do not have access when attempting to log into Education Perfect with be met with a AADSTS50105 error from Microsoft.
Match existing users to their accounts
If your students have already been using Education Perfect without an Azure integration, their EP accounts will need to be linked to the unique identifier Azure uses to confirm their identity. The above user claims settings will make this their email address, but we use the test accounts to confirm everything is configured correctly. We'll match up everyone we can on your behalf. We will then send you a list of anyone we couldn't match. Once you send us the details for those people, we'll update them as well.
Please note that until we have completed this step users will get an error if they attempt to log into Education Perfect via Azure.