SAML
SAML |
|
|
For the settings regarding the 'SSO Provider' please go to <Administration> | <Integration> | <SAML>.
Set up of Identity Provider / SAML for WebUntis
• Define the attribute containing the user name which will be used with WebUntis IDP. The chosen attribute can be compared to a “user name” or an “external user” name in WebUntis. • Please get in contact with your WebUntis team regarding your chosen attribute name or urn-id. • Send the metadata of your IDP to your WebUntis team (NB: WebUntis supports only officially signed SSL certificates). • Download the WebUntis metadata (https://name.webuntis.com/WebUntis/saml/metadata) and import it to your IDP. • Your WebUntis team imports your metadata to the WebUntis SAML provider. The import of new metadata can take up to 24 hours. • Please enter your SSO provider into WebUntis. Just go to <Administration> | <Integration> | <SAML> and save the settings.
Testing of IDP / SSO Provider
By activating the SSO provider under <Administration> | <Integration> | <SAML>, the 'SSO-Login' button in the logged out area of WebUntis is activated. • Try to login via the SSO provider by clicking on the login button.
• If the login is not successful please contact WebUntis support to get more information. Otherwise continue with the configuration of the SAML integration.
SAML integration in WebUntis
Identification und automatic creation of a user If you do not want users to be created dynamically you can deactivate this function by selecting the option 'Create local user after successful authorisation' after you have successfully logged in. After deactivating this function, only users can log in who have already registered as users in WebUntis.
The user role (teacher or student) can be defined by comparison with a user attribute.
Comparison with an attribute In this case the entry in the field 'Person role' identifies the role, e.g. 'Teachers'. The name of the attribute containing the role designation, e.g. 'urn: oid: 1.2.3.4.5.6.1234.1.1.1.1', is to be entered in the field 'SAML person role attribute '. The user is therefore identified as teacher when the designation 'Teacher' is found for a person in the attribute 'urn: oid: 1.2.3.4.5.6.1234.1.1.1.1' .
The identification of the role means that the default rights can be defined. You need user groups, e.g. teachers. Whenever attributes are compared to each other, the user group names need to be identical to the entries in the fields 'Person role'.
If no matching user group can be found in WebUntis the default user group will be used.
Additional information is needed to identify the person. This information can be different for teachers and students. Identification means that the system looks for an appropriate timetable element (teacher or student) for the user.
There are several possibilities of identification:
Single attribute : This method usually is the most effective one since no names need to be compared. This, however, is not possible in all cases. This method compares a unique value of one of the WebUntis fields of a user with the individual attribute in SAML.
Possible fields in WebUntis are: •id – user name in WebUntis •name – short name •longName – last name •Text – text field •externKey – external ID
One of these fields is entered into the field: 'ID field' . The name of the attribute in LDAP is entered into the field: 'SAML ID attribute'. Example: The short name of the WebUntis teacher is also saved under the attribute 'urn: oid: 2.4.5.1' in SAML. 'urn:oid:2.4.5.1' is therefore entered into the field: 'SAML ID attribute' and 'name' into the field: 'ID field'.
Attributes for last name and first name : This method is used to identify the name. First and last name must be existent in different attributes in SAML. Both attributes are entered in the field: 'SAML ID attribute' using a comma between the attribute for the last name (entered first) and the attribute for the first name (entered second). |
