In order to set up single sign-on for your district to access GuideK12 you’ll first need to contact service at firstname.lastname@example.org to let them know you’re interested in setting that up if you haven’t already. Below you will find information regarding requirements and notes on our single sign-on support.
SAML 2.0 District Requirements for Single Sign-On
District Hosted SAML 2.0 IdP
The client should be running a SAML2.0 Identity Provider (IdP). Below are identity providers we have currently implemented.
- Shibboleth: https://www.shibboleth.net/products/identity-provider/
- ADFS: https://msdn.microsoft.com/en-us/library/bb897402.aspx
GuideK12 requires the following of the district’s IdP:
- We only support HTTP-Redirect binding for the Single Sign On Service
- We only support HTTP-Redirect binding for the Single Logout Service
- NOTE: use of a Single Logout Service is optional.
GuideK12 SP Restrictions
In SAML2.0 parlance, the GuideK12 login server acts as a Service Provider (SP). Our SP has the following restrictions:
- It only supports the HTTP-POST binding for the Assertion Consumer Service
- It only supports the HTTP-Redirect binding for the Single Logout Service
Required Information From Client
- The district’s Identity Provider Metadata
- We need to know which attributes our Attribute Consuming Service should use for:
- user group (user groups or roll types should be determined based on the applications AND attributes for a data stream that those users should have access to)
- Which groups should have access to which applications?
- SchoolSearch (public tool for home school lookup)
Required Information For Client from GuideK12
- We send the district a copy of our Service Provider Metadata.