|
Official Mastery Connect Document |
|
Authentication Terminology
| Term | Definition |
|---|---|
| IdP |
Identity Provider The job of the IdP is to identify users based on credentials. The IdP typically provides the login screen interface and presents information about the authenticated user to service providers after successful authentication. Azure is the Identity Provider. |
| login_id |
saml_name in Mastery Connect terminology. When information about an authenticated user is returned to Mastery Connect, a user with a saml_name matching the incoming data is looked for. |
| Metadata |
Information about the SP or IdP. This metadata is almost always provided in the form of XML. The metadata about your Canvas instance is located at https://app.masteryconnect.com/saml2/<yourname>/metadata.xml (your Project Consultant / Support agent will inform you what your metadata link is). |
| SAML |
Security Assertion Markup Language |
| SIS | Student Information System |
| SLO |
Single Logout When a user logs out of a service, some IdPs can subsequently log the user out of all other services the user has authenticated to. Azure supports this but may occasionally experience issues such as preventing a successful logout. Users will be logged out of Mastery Connect but may not be logged out of Azure. |
| SP |
Service Provider An SP is usually a website providing information, tools, reports, etc to the end user. Mastery Connect provides a learning environment to teachers, students, and admins and is, therefore, the Service Provider. Note: An SP cannot authenticate against an IdP unless the IdP is known to the SP. Likewise, an IdP will not send assertions to an SP that it does not know about. |
| SSO |
Single Sign-On This is what happens when a user isn't required to log in to a second service because information about the authenticated user is passed to the service. |
Pre-requisites
- Mastery Connect does not automatically create user accounts from successful single-sign-ons. User accounts must either be created manually in the web interface or through a SIS Integration.
- The saml_name field in Mastery Connect must match the selected field returned from Azure.
- Your organization must have an Azure AD subscription.
- You must be able to log in to the admin console for your organization.
Configure Azure Active Directory
To configure the integration of Mastery Connect into Azure AD, you need to add Canvas (an Instructure product, Mastery Connect is not available) from the gallery to your list of managed SaaS apps.
-
In the left navigation panel of the Azure portal, click Azure Active Directory icon.
-
Click the Enterprise applications, then click All applications.
3. To add a new application, click the New application button at the top of the dialog.
4. In the search box, type Canvas [1] (an Instructure product). In the results panel, select Canvas [2]. Change Name [3] to Mastery Connect and then click the Create button [4] to add the application.
5. In the Mastery Connect | Overview page of the Azure portal, click on Single Sign-on.
6. Click SAML.
7. On the Set up Single Sign-On with SAML page, copy the App Federation Metadata URL in the SAML Certificates section
***NOTE: Send this metadata to your Project Consultant / Support Agent. Mastery Connect's Metadata (Service Provider) is configured with a public link to the IdP's metadata.
8. Your Project Consultant / Support Agent will then provide the Mastery Connect Metadata and Log On URLs
The Metadata and Log On URL will look like this:
Metadata URL: https://app.masteryconnect.com/saml2/<yourname>/metadata.xml
Log On URL: https://app.masteryconnect.com/saml2/<yourname>
9. On the Set up Single Sign-On with SAML page, edit the Basic SAML Configuration section by clicking Edit in the top-right corner.
10. Click Add identifier and fill in the Identifier (Entity ID) fields with the Mastery Connect Service Provider Entity ID [2]. Mastery Connect metadata [1], provided in step 8 (ie.https://app.masteryconnect.com/saml2/<yourname>/metadata.xml).
In the Reply URL (Assertion Consumer Service URL) field, add the Mastery Connect domain from the Mastery Connect Metadata [4] (ie: https://app.masteryconnect.com/saml2/<yourname>/acs ). Click Add reply URL to create a new input.
In the Sign on URL field, add the Log On URL from step 8 (ie: https://app.masteryconnect.com/saml2/<yourname>)
Optional: In the Logout URL (Optional) field, enter the Logout URL from Mastery Connect's Metadata [3] (ie: https://app.masteryconnect.com/saml2/<yourname>/logout)
Click Save in the top-left corner.
Here is an example once all the data is entered:
11. Edit the second section, User Attributes & Claims.
***NOTE: This guide walks through the steps of sending the email address as the identifier. If you do not wish to send the email address as the identifier, please select which identifier you would like to send.
12. Click Unique User Identifier (Name ID) under required claim.
13. Change Source attribute [1] to user.mail and click Save [2].
14. Click Properties [1]. Change User assignment required to No [2]. Click Save.
***NOTE: This step is if you don't want to assign users/groups to this application. If you want to Assign users/groups feel free to skip this step and assign users/groups within Azure.
15. Change the Logo to Mastery Connect [1].
Here is a link to download Mastery Connect from the Instructure website
Or click here to immediately download the Mastery Connect Branding files
16. In an incognito window test your login to ensure you are logged into Mastery Connect using your Log On URL from step 8.
Log On URL: https://app.masteryconnect.com/saml2/<yourname>
***NOTE: Make sure your saml_name is assigned in Mastery Connect to the identifier from Azure, otherwise you will not get a successful login. Talk with your project consultant / support agent to ensure saml_names are assigned in Mastery Connect.
