Azure AD Configuration (SHA-256)

This article provides information on how to configure your Azure Active Directory instance for use with Education Perfect's Single Sign-On (SSO) system.

Please note that we now support logging in with Microsoft Azure directly, and it may not be necessary to set up an integration at all!
Please see our help doc here or contact us for more details.

Setup in Azure

1. Visit the Azure portal
2. Click Azure Active Directory under Azure Services
   
3. Click Enterprise Applications
   
4. Click New Application
   Due to changes in the website, you may need to click to enable the legacy App search to find this page
   
5. Click Non-gallery application
   
6. Put Education Perfect in the name field and click Add.
7. Click 2. Set up single sign on -> Get Started
   
8. Click SAML
9. Click the Icon next to the App Federation MetaData Url and send this link, along with the details for a test account to support@educationperfect.com
10. 
    With this information we will set things up on our side and should get back to you within a week with the information required for the next steps.

Secondary steps

Once you have received a reply from us, go back into the application where you were before and make the following changes:

1. Edit the first box Basic SAML Configuration
   

   Fill in the first two fields:
   

   1. Identifier (Entity ID): Issuer as provided by us (please note that this value is unable to be supplied until we have loaded your metadata previously!)
   2. Reply URL (Assertion Consumer Service URL):
      World wide: https://iam.educationperfect.com/samlv2/acs
      Canada: Will be provided with Identifier above
2. Edit the second box User Attributes and Claims. Click to Edit Unique User Identifier (Name ID)
3. 1. Click Choose name identifier format and ensure it is set to Email address in the drop down.
   2. Source Attribute should be user.mail
      
4. Save and exit. Please note that attempting to test the integration at this time will not work.
5. Click the following error if it shows up:

6. Allow user access to the newly created SAML Application:
   Click Properties on the left hand side bar
   Set Assignment required to No
   

Alternatively if you wish to have finer grained control on who can access this application, you can define access by groups rather than by all as shown above.
Go to the Users and Groups menu and add the users, groups and/or roles that will be logging into Education Perfect by SSO.
We recommend adding all users: such as your All Staff group, All Student groups and any test accounts!
Please note that any users that do not have access when attempting to log into Education Perfect with be met with a AADSTS50105 error from Microsoft.


7. Email us and lets us know that this step has been completed, once we received confirmation, we will finalize the connection and commence testing.

Match existing users to their accounts

If your students have already been using Education Perfect without an Azure integration, their EP accounts will need to be linked to the unique identifier Azure uses to confirm their identity. The above user claims settings will make this their email address, but we use the test accounts to confirm everything is configured correctly. We'll match up everyone we can on your behalf. We will then send you a list of anyone we couldn't match. Once you send us the details for those people, we'll update them as well.