The NovoEd platform can be configured for single sign-on (SSO) within a customer’s organization if the customer’s identity provider conforms to the SAML 2.0 standard. NovoEd functions as a SAML Service Provider; that is, the system that accepts authentication from another identity source. NovoEd can work with both SP-init and IDP-init workflows. SP-init is when NovoEd initiates the authentication session. IDP-init is when the customer’s identity provider initiates the session. Most identity providers support an SP-init - this is the preferred method.
NovoEd can also work with multiple identity providers. In this solution, NovoEd customers have different audiences and each audience has its own source of authentication.
Configuring SSO for a New Institution on NovoEd
The NovoEd Technical Support team is the point of contact for NovoEd customers to configure, test, and roll out SSO for their NovoEd instance. Customers should please follow the process outlined below:
- Customers contact NovoEd technical support team at firstname.lastname@example.org and provide a link to their institution on NovoEd and ask the support team to initiate the SSO configuration process. In response to the request, the support team will send NovoEd’s meta-data for the customer’s organization.
- The SSO team in the customer’s organization shall provide the following information to NovoEd to finish the configuration. The data can be sent as an XML.
- Target URL for login to the Identity Provider (IdP)
- Target URL for logout from the IdP
- The certificate of the IdP
- The attribute mapping for the following information:
- Unique identifier (This would be a persistent unique ID assigned to the user in the customer’s system, that never changes)
- First name
- Last name
- Email address
Please note: Some organizations might require testing in their QA environment before moving the SSO setup to the production identity provider. In that case, customers will need to repeat steps 2-5 for their production identity provider configuration after verifying the QA set up. Customers should not expect issues or slowdown as the configurations are tested once - however, every step outlined above should be retaken. NovoEd does not test in a QA environment for the NovoEd side of the configuration and will be updating the same set up in both the customer’s QA environment phase (during testing) to work with your production phase.
In addition, the unique ID is how a customer’s users are identified in the NovoEd platform. If a user’s email address changes, as long as their unique ID remains the same, they can still access their account on NovoEd. If a customer’s organization allows users to have multiple email addresses and wants to give course access to learners through a CSV upload, customers will need to use the email address that IdP sends to NovoEd during the SSO process. Please note that capitalization does not matter for SSO, we downcase what is sent to NovoEd.
Once SSO is enabled, users must log in using SSO. If customers are enrolling users in a course with a CSV upload of email addresses, they must use the email address that your SSO system sends back to NovoEd. NovoEd highly recommends using an enrollment option that allows the learner to enroll through SSO. This becomes immensely important if an organization allows multiple emails for the same person.