Skip to main content

Single Sign-On Using SAML

  • Updated

Security Assertion Mark-Up Language (SAML) is an authentication method for users to log in to one system automatically by being logged into another. The idea is to sign in once (usually to a school’s network directory service) and the tools user's use will ‘authenticate’ them based on that single sign-in (SSO).

FastBridge Learning® supports SAML v2.0 as an SSO method for the FAST application. Once a district provides all the information required, please allow up to 4 weeks for FastBridge to implement this SSO solution from beginning, to customer testing and sign-off, to end.

Preparing for Setup

  • The District must be setup and active in FastBridge
  • The District must verify that their SAML 2.0 federation services are compatible with Microsoft ADFS.
  • The AD-FS compatible environment must have Publicly Trusted Certificates enabled.
  • The setting in District Preferences > District Properties > SSO Enable must be set to On.
  • The district should have ready access to teacher ID’s, Student ID’s, nameID from their AD-FS POST responses, and a FastBridge roster in CSV format that will be edited by the school. Districts will want this handy when re-creating their rosters to fit the SSO implementation.

What FastBridge provides

  1. District_Key - A unique identifier with no spaces and no punctuation.
    • Example: Best School NY becomes bestschoolny.
  2. A token-signing certificate (SHA-256) via URL for the District to import.
  3. At the end of the process, an SSO link with the ‘District_Key’ inserted, in this format: https://auth.fastbridge.org/sso/{district_key}/metadata.do
    This link will redirect to the District ADFS page where staff sign in. Once done, a POST response is sent with a token issued from the ADFS server and contains a timestamp and a NameID that exactly matches the NameID in the newly-constructed roster (See ‘Changes to your Roster’ below.)

What Districts must provide FastBridge

  • School Site Metadata.
  • XML document generally provided by District Administrator from an ADFS URL.
  • Verify the token-signing certificate is imported.
  • Changes to their Roster.
  • The UserID format used in-roster for SSO clients in FastBridge is: {district_key}{roleID}{nameID}
    For example, a teacher could be bestschoolny_8_1234567 and the Role IDs could be:
    • 6 - District Manager
    • 7 - School Manager
    • 8 - Teacher
    • 91 - Specialist
    • 92 - Group Proctor
    • 10 – Student

Student Roster Modifications

  • StudentID has to be the nameID that we will get in the SAML POST response.
  • TeacherID has to be the nameID that we will get in the SAML POST response.
  • TeacherEmail in format: {district_key}_8_{nameID} where nameID is the nameID that we will get in the SAML POST response. It should not be an email address.
    • This is '8' because the role for the teacher is 8.
    • The teachers’ actual email address should not be on student rosters with SSO integration that are entered through the Staff Roster process.

Staff Roster Modifications

  • UserID in format: {district_key}_{roleID}_{nameID}
    • roleID is the value in column2
    • nameID has to be the nameID that we will get in the SAML POST response.
    • UserID should be the same format as the teacherEmail in the Student Roster: {district_key}_8_{nameID}.
  • Email should be their actual email address.
    • Since we request the teacherEmail in the Student Roster to not be their actual email, the actual email addresses of the teachers can be updated using the Staff Roster. 
  • New teachers will not be added with this process. Only emails for existing teacher uploaded through the student roster will be updated.
Was this article helpful?
2 out of 4 found this helpful
Return to top

Help us improve this article

Submit Feedback