Overview: The NovoEd platform can be configured for single sign-on (SSO) within a customer’s organization if the customer’s identity provider conforms to the SAML 2.0 standard. NovoEd functions as a SAML Service Provider; that is, the system that accepts authentication from another identity source. NovoEd can work with both SP-init and IDP-init workflows. SP-init is when NovoEd initiates the authentication session. IDP-init is when the customer’s identity provider initiates the session. Most identity providers support an SP-init - this is the preferred method.
NovoEd can also work with multiple identity providers. In this solution, NovoEd customers have different audiences and each audience has its own source of authentication.
Sections in this Article:
- Configuring SSO for a New NovoEd Institution
- Configuring SSO for an Existing NovoEd Institution
- Troubleshooting an SSO Configuration
- User Experience After Enabling SSO
Configuring SSO for a New NovoEd Institution
The NovoEd Technical Support team is the point of contact for NovoEd customers to configure, test, and roll out SSO for their NovoEd instance. Customers should please follow the process outlined below:
- Customers contact NovoEd technical support team at firstname.lastname@example.org and provide a link to their institution on NovoEd and ask the support team to initiate the SSO configuration process. In response to the request, the support team will send NovoEd’s meta-data for the customer’s organization.
- The SSO team in the customer’s organization shall provide the following information to NovoEd to finish the configuration. The data can be sent as an XML. Please be aware of case-sensitivity.
- Target URL for login to the Identity Provider (IdP)
- Target URL for logout from the IdP
- The certificate of the IdP
- The attribute mapping for the following information:
- Unique identifier (This would be a persistent unique ID assigned to the user in the customer’s system, that never changes)
- First name
- Last name
- Email address
Please note: Some organizations might require testing in their QA environment before moving the SSO setup to the production identity provider. In that case, customers will need to repeat steps 2-5 for their production identity provider configuration after verifying the QA set up. Customers should not expect issues or slowdown as the configurations are tested once - however, every step outlined above should be retaken. NovoEd does not test in a QA environment for the NovoEd side of the configuration and will be updating the same set up in both the customer’s QA environment phase (during testing) to work with your production phase.
In addition, the unique ID is how a customer’s users are identified in the NovoEd platform. If a user’s email address changes, as long as their unique ID remains the same, they can still access their account on NovoEd. If a customer’s organization allows users to have multiple email addresses and wants to give course access to learners through a CSV upload, customers will need to use the email address that IdP sends to NovoEd during the SSO process.
Once SSO is enabled, users must log in using SSO. If customers are enrolling users in a course with a CSV upload of email addresses, they must use the email address that your SSO system sends back to NovoEd. NovoEd highly recommends using an enrollment option that allows the learner to enroll through SSO. This becomes immensely important if an organization allows multiple emails for the same person.
Configuring SSO for an Existing NovoEd Institution
The steps to reconfigure SSO (or configure once learners are already enrolled in NovoEd courses) are similar to above. Customers should follow steps 1 to 4. After step 4 is done, customers need to take a few more steps to ensure learners do not lose their access to their existing courses.
Customers should repeat steps 1-4 listed above and indicate to the support team that a reconfiguration or update is needed. After completion of steps 1-4, customers should follow these additional steps:
- Customers email NovoEd technical support team at email@example.com to receive a list of their existing users on NovoEd
- The customer then sends back the external IDs assigned to each of the existing users
- Allow NovoEd technical support team to upload the external IDs to NovoEd system
- Once step 7 is concluded, the customer can roll out SSO to learners by emailing the NovoEd technical support team to enable the new SSO configuration.
Troubleshooting an SSO Configuration
An SSO process has the following steps:
- An Auth Request is made from NovoEd to the customer’s identity provider.
- Troubleshooting: If the customer sees a NovoEd error page, it is likely because they received the wrong test URL from the NovoEd support team. Customers should contact the support team at firstname.lastname@example.org.
- Troubleshooting: If a customer sees an error message at this step on their organization’s identity provider, it means the customer’s IT team has not configured NovoEd with the right entity ID. The customers should ask their IT team to double-check these settings against the metadata sent by the NovoEd support team (Step 1 of the configuration process outlined above).
- Troubleshooting: This step never goes wrong when the two steps above have already occurred. The user should ensure they are using the correct email address.
- Troubleshooting: There are multiple issues that might happen at this point.
- Issue 1: Customer sees a NovoEd error page: “The request is not what we expected.” This means the customer’s identity provider is sending NovoEd a GET request for Assertion Consumer Service. The customer needs to send NovoEd a POST.
- Issue 2: Customer sees a “We could not locate what you were looking for” error page. This means NovoEd is not able to login or create an account for the user. This issue is due to:
- The parameter mapping NovoEd is receiving is not aligned with what is configured for first name, last name, email address, and external ID.
- The certificate that has signed the SAML response is not matching with the certificate NovoEd has saved.
In either of the above two cases, the customer sharing a HAR file is the best way to help NovoEd debug. NovoEd needs the content of the SAML Response from the HAR file to validate each of the above potentials and reconfigure NovoEd’s end based on the data that the customer’s system is sending.
User Experience After Enabling SSO
Here is a detailed description of the user experience when logging into NovoEd with SSO, regardless of how users access the NovoEd course URL. Users may discover a NovoEd URL through different sources such as a Welcome Email from the course, a Learning Management System, or a custom portal.
- The user goes to NovoEd URL
- NovoEd sends a SAML Auth Request to the identity provider to start the SSO process
- The user sees their usual login page on their organization’s identity provider
- The user is returned to NovoEd as a logged-in user
- Users need to be enrolled in at least one learning experience to be able to see a learner dashboard on NovoEd
NovoEd will not save or be aware of the user's password in the customer’s system. NovoEd will save the user’s first name, last name, email address, and their unique ID in our system. After enabling SSO, SSO will be the default way for learners to log into NovoEd.
Once SSO is enabled, customers can disable editing basic account settings on NovoEd. The organization administrator can do this on the Org Admin Dashboard on NovoEd (see screenshot below). If any change to a learner’s first name, last name, or email address is needed, customers should make the update in their system, not NovoEd. The data is NovoEd will update once the user's session expires and/or they try to login to NovoEd again.