SMS 2.0 SkySTS Server Launch Kit - Skyward Support Center
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
GENERAL INFORMATION .............................................................................................................................. 3 SKYSTS AND WHAT IT MEANS TO YOU ................................................................................................................................3 SKYSTS INSTALL FOR CLOUD HOSTED AND MANAGED SERVICES CUSTOMERS ............................................................................3 SKYSTS ON-PREMISES SERVER PRE-INSTALL CHECKLIST ........................................................................................................4 SKYSTS ON-PREMISES INSTALL SUMMARY..........................................................................................................................4 SKYSTS ON-PREMISES SERVER FIREWALL REQUIREMENTS .....................................................................................................5 CHOOSING THE SKYSTS SERVER(S) ....................................................................................................................................5 SMS 2.0 APPLICATION CONFIGURATION ................................................................................................... 6 WEB CONFIGURATION / SINGLE SIGN-ON CONFIGURATION ...................................................................................................6 SKYSTS SERVER INSTALLATION ................................................................................................................. 8 DOWNLOAD SKYSTS INSTALLER EXE FROM SKYWARD FTP SITE ...............................................................................................8 SSL CERTIFICATE REQUIREMENTS ......................................................................................................................................8 SKYSTS SERVER INSTALL ..................................................................................................................................................9 TEST SKYSTS INSTALLATION ...........................................................................................................................................14 IDENTITY PROVIDER / RELYING PARTIES CONFIGURATION(S) ........................................................ 15 SMS 2.0 AS AN IDENTITY PROVIDER CONFIGURATION .........................................................................................................15 CONFIGURE COMMON RELYING PARTIES ..........................................................................................................................19 SMS 2.0 TO A REMOTE IDENTITY PROVIDER CONFIGURATION ..............................................................................................21 TESTING RELYING PARTY / IDP CONFIGURATIONS ...............................................................................................................29 TROUBLESHOOTING IDENTITY PROVIDER CONFIGURATION(S) ................................................................................................33 RENEWING THE SSL CERTIFICATE ........................................................................................................... 34 SSL CERTIFICATES USAGE ..............................................................................................................................................34 SKYSTS WEBSITE CERTIFICATE RENEWAL .........................................................................................................................34 SKYSTS APPLICATION CERTIFICATE RENEWAL ....................................................................................................................34 SSL CERTIFICATE PERMISSIONS .......................................................................................................................................35 ADVANCED CONFIGURATION OPTIONS ................................................................................................... 36 ADDING AN SSO AWARE DISTRICT LINK IN FAMILY / STUDENT ACCESS...................................................................................36 ADDING AN SSO AWARE NEWSFEED LINK IN SKYPORT FOR ALL USERS...................................................................................37 ADDITIONAL IIS SETUP FOR LOAD BALANCING SKYSTS ........................................................................................................39 CONFIGURING MULTIPLE SKYSTS INSTANCES ....................................................................................................................40 CUSTOMIZING LOGIN PAGES ..........................................................................................................................................40 SKYSTS CONFIGURATION VALUES ...................................................................................................................................41 ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 2 of 41
General Information SkySTS and what it means to you SkySTS (Skyward Secure Token Service) allows SMS 2.0 users to authenticate to a 3rd party Identity Provider (IdP), and it allows SMS 2.0 to be an Identity Provider (IdP) for 3rd party systems. SMS 2.0 to a remote IdP: This means the SMS 2.0 users can log in using credentials from a 3rd party IdP that supports SAML 2, such as Office 365 (Azure) or ClassLink, using SAML 2. For an overview video of the Single Sign-On process for your Skyward end-users and other recommended Skyward Security Best Practices, please visit our link to the Skyward Security Best Practices Blog. SMS 2.0 as an IdP: This means that users of the 3rd party system can log in to the 3rd party system using their SMS 2.0 username/password using SAML 1, 2, or wsFed. SkySTS is an IIS web-based application that needs to be installed and configured on the SMS 2.0 Web Server(s). The customer is responsible for the SAML configuration(s) in the 3rd Party Applications SkySTS Install for Cloud Hosted and Managed Services Customers If your Cloud Hosted, your hosting provider will install the SkySTS application. If your Managed Services, IT Services will install the SkySTS application. Cloud Hosted and Managed Services customers should create an IT Services Service Call to request the SkySTS Install by calling 1-800-236-0001 or visiting the Support Center. The customer is responsible for configuring 3rd Relying Parties and Identity Providers in SMS 2.0. If you are ISCorp Secure Cloud-hosted customer, you must: 1. Provide the 3rd Party Metadata URL to Skyward or ISCorp so that they can enter a Firewall exception. 2. After the SkySTS install is completed you will be given your SkySTS URL. Next Step: SMS 2.0 Application Configuration ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 3 of 41
SkySTS On-Premises Server Pre-Install Checklist On-Premises System Requirements: • SMS 2.0 February 2019 Release Addendum 6 or newer (05.19.02.00.06-11.7) • Windows 2019 / 2016 / 2012 R2 / 2012 Server • Windows 2012 Requires Windows Service Pack 2 • VMWare/Hyper-V / Citrix Xen Virtual Servers are supported • .NET 4.5 or Newer • SkySTS can be set up on any SMS 2.0 Web IIS Server with Progress OpenEdge already installed. • SkySTS can be configured while users are in Skyward. • A purchased SSL Certificate is required (it can be the same certificate used by the SMS 2.0 Web application) SkySTS On-Premises Install Summary SkySTS configuration typically takes approximately 30+ minutes setup per Web Server. 1. Configure the SkySTS Application Settings (~5 minutes) 2. Run 11.7 - SMS 2.0 SkySTS Server Install Installer (~5 minutes) 3. Configure Identity Provider (IdP) or Relying Parties in SMS 2.0 (~10 minutes) 4. 1 Configure 3rd Party Applications. 5. Optional – Advanced Configuration options (~15 minutes) 6. Test SkySTS (~10 minutes) 1 The customer is responsible for the SAML configuration(s) in the 3rd Party Applications. ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 4 of 41
SkySTS On-Premises Server Firewall Requirements If the SMS 2.0 IIS Web Server(s) have a firewall between the Web Server and the database, please ensure the following ports are open. Customers may define custom ports when the initial setup was completed so all ports should be verified using the OpenEdge Explorer / Management Tool. Default ports used by SkySTS • From Web Server(s) to Database Server →NameServer UDP Port 5162 • From Web Server(s) to Database Server → TCP Port for the Stateless AppServer o Student Management default → TCP 3095 o School Management (Combined Database) default → TCP 3099 o Student Management Training default → TCP 4001 o School Management Training (Combined Database) default → TCP 4005 • Both Directions Web Server(s) / Database Server -> TCP Port Range for the Stateless AppServer Default → TCP range 2002 – 2202 Note: The Stateless AppServer for Student Management is named asStuMon, for School Management and (Combined Database) is named asSkyMon For Training systems, the Stateless AppServer for Student Management is named asStuMonTrn, for School Management and (Combined Database) is named asSkyMonTrn Choosing the SkySTS Server(s) If only one Database/Web/Report Server is installed, then this is where SkySTS Server will be configured. If you have multiple servers, you should configure SkySTS on the Web Server that is accessible from the internet. Verify the server meets the minimum requirements before configuring SkySTS. SkySTS can be configured while users are in SMS 2.0. If .NET was recently installed, a reboot is suggested but not always necessary. In some rare situations, the server must be rebooted before SkySTS will work correctly. If multiple load-balanced web servers exist, you must install SkySTS on every Web Server. Also, complete the Additional IIS Setup for Load Balancing SkySTS to set up a Machine Key for the load-balanced servers; information included in Advanced Configuration Options at the end of this guide. ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 5 of 41
SMS 2.0 Application Configuration Web Configuration / Single Sign-On Configuration Note: The first step is to configure the SkySTS Single Sign-On (SSO) section of the Web Configuration page using the SMS 2.0 Student / School web application. Do not skip this step, the SkySTS application will not run if this SSO configuration screen is not completed. Some of the fields are auto-filled but editable. Some of the fields are blank and information needs to be entered. 1. Log into SMS 2.0 web product → Product Setup → Skyward Contact Access → District Setup → Configuration → Select Web Configuration ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 6 of 41
2. Scroll down to the Single Sign-On section → Enter the SSO values described in the table below → Save Field Name Description Example(s) SSO Button This is the text that will Login using Text display on the SSO button that will be added to the Replace with the friendly name of SMS 2.0 login screen. The your IdP, such as Office 365, Google, or ClassLink. SSO button will not display on the login screen if this field is left blank. SSO URL: Leave this field blank for Example: now, this will be added after https://skyward.yourschool.org/skysts/sso/Skyward/lo you create an Idp record in gin/Google SMS 2.0. Organization Enter an identifying name Your School District Name Name that will be used in the SkySTS metadata. Organization Enter a display name that Your School District Name Display Name will be used in the SkySTS metadata. Organization Enter the home page of the http://www.yourschool.org URI organization that will be used in the SkySTS metadata. Base URL Enter the Base URL of your Student: https://skyward.yourschool.org/skysts/ SkySTS Application. For Business:https://skyward.yourschool.org/skystsbus/ Cloud Hosted customers the For ISCorp Gold/Silver Cloud Hosted customers. URL is provided by Skyward Student: or your Hosting provider. https://skyward.iscorp.com/SkySTSyourschoolfin Business: https://skyward.iscorp.com/SkySTSyourschooledu Next Step: If your Cloud Hosted or Managed Services please jump to Identity Provider / Relying Parties Configuration(s) or on-premises hosted and self-managed, continue onto the SkySTS Server Installation ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 7 of 41
SkySTS Server Installation Download SkySTS Installer Exe from Skyward FTP site Note: The SkySTS installer only has choices for a Student or Combined SMS 2.0 setup. If you would like to have an SMS 2.0 Business setup for SkySTS, please contact IT Services by placing a call in the queue. If your Cloud Hosted or Managed Services please jump to SkySTS Install for Cloud Hosted Customers. 1. Connect to our Secure FTP Instructions using the instructions found here: Secure FTP Instructions 2. Navigate to the Secure FTP folder of Hardware → Public → OE11.7-Customer-DVD → Windows 3. Download the file 11.7 - SMS 2.0 - Role - SkySTS Server Install.exe 4. Save the exe file to the ?:\skyward\install folder on the Web server(s) SSL Certificate Requirements During the installation, you will be prompted to choose a certificate from the Local Computer Personal Certificate Store. You can use the same certificate that is used for the SMS 2.0 Web Applications if it is in the Local Computer Personal Certificate Store and it is exportable. • The certificate must be in the Local Computer Personal Certificate Store • The certificate must contain the Public Key and Private Key (The certificate must be exportable). ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 8 of 41
SkySTS Server Install Note: 1. The 11.7 - SMS 2.0 - Role - SkySTS Server Install.exe needs to be installed on at least one SMS 2.0 Web server that runs the IIS Web Server. 1. To start the SkySTS Server install, double click 11.7 - SMS 2.0 - Role - SkySTS Server Install.exe file. 2. The Welcome screen to SkySTS Server Install will appear →? Next 3. The Installation Folder window will display → The Install will automatically detect the current OpenEdge Installation path. If the path is not correct change to the Drive and folder path where Skyward was installed → Choose Next. ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 9 of 41
4. The Skyward Suites Selection window will display → Select your either the Student Management or School Management Suite (Student and Business Combined Database) → Choose Next. 5. The Training Database Setup window will display → Select either the No Training Database or Only A Training Database → Choose OK. ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 10 of 41
6. The Programs Location window will display → Choose your Student Management or School Management or Student Management Training or School Management Training program folder → Choose Next. 7. The Database Location window will display → Select Yes if this server is also your Student Management or School Management Database Server and proceed to step 8. Select No if this server is not your Database Server and proceed to step 7b. → Choose Next. ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 11 of 41
7b. If you selected No → Enter the IP Address and NameServer Port of your Student Management or School Management Student Management Training or School Management Training Database → Choose Next. Note: The standard Student / School NameServer Port is 5162 8. The Ready to Install windows displays → Choose Next to start the installation ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 12 of 41
9. The Installing SkySTS Server window displays → The information that scrolls across the screen can be viewed in the installer log file. 10. The Select A Certificate program displays a list of SSL Certificates from the Local Machine Personal SSL Store → Click More choices → Select the desired certificate → Click OK ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 13 of 41
11. The Installation Complete window displays → Choose the button to View Installer Log, View Launch Kit (this file), Choose Finish to exit the installer. Congratulations! You have completed the Installation. Now on to testing…... Test SkySTS Installation 1. From any web browser → browse to the Student/School URL https://{DNSNAME}/SkySTS (URL is not case sensitive) The browser will display the SkySTS Manage Skyward Single Sign-On information page with Refresh buttons in the title bar to read updated info if edited in the SMS 2.0 application If you reached this point without any errors your SkySTS installation was successful. Next step: Add Identity Provider / Relying Parties Configuration(s) ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 14 of 41
Identity Provider / Relying Parties Configuration(s) To use SkySTS with a 3rd Party you must complete SMS 2.0 to a remote Identity Provider Configuration and/or complete SMS 2.0 as an Identity Provider Configuration depending on your authentication needs. SMS 2.0 as an Identity Provider Configuration This section is for users of a 3rd party system wanting to log into the 3rd party system using their SMS 2.0 username/password using SAML 1, 2, or wsFed. Add Relying Party Configuration(s) This section is used for adding and configuring a Relying Party to SkySTS. The Relaying Party information is supplied by the 3rd party that will be using SkySTS for authentication. If you do not have the Relying Party information, this can be skipped and added later. Note: Michigan MiLearn Customers can use Michigan MiLearn Configuration 1. Log into SMS 2.0 Web → Product Setup → Skyward Contact Access → District Setup → Configuration → Select Web Configuration → Scroll down towards the bottom of the page → Select Relying Party Configuration button. 2. Select the Add Button ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 15 of 41
3. Each Relying Party must be added using the Add button (or “Edit” with an existing Relying Party) → Enter the values supplied by the Relying Party vendor in the Relying Party Maintenance screen → Save The table below describes the Identity Provider Fields. Field Description Example Name Name The identifier of the WordPress Relying Party. Utilized in SkySTS to create unique URL endpoints. Display Display name of the WordPress Saml Relying Party Name Relying Party (for debugging purposes) Entity ID Identity URI of the https://blog.erd101.com/saml/ Relying Party. (Found in Relying Party metadata) SSO URL Single Sign-On https://blog.erd101.com/saml/ endpoint. Often the same as the Entity ID. (Found in Relying Party metadata) Login Endpoint which starts https://blog.erd101.com/login?userSaml=true URL the login process. Usually the same as the SSO URL above, but may have extra query string parameters, etc., depending on the system. Require Whether to show the role True User to drop down to the user. Specify Role Sign Whether to True Message cryptographically sign the entire token ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 16 of 41
Sign Whether to cryptographically True Assertion sign the token assertion. Use Blank Whether to leave the False URI XML Signature URI Reference reference blank. This should only be checked if all else fails—it is used to work around a bug in MS XML signature processing. Federation The protocol with which SAML2 Protocol the Relying Party corresponds. Add Relying Party Claim(s) SkySTS will provide claims about the user in the token assertion. These claims must be configured in the SMS 2.0 Application. Generally, at least a “NameID” claim and one other claim must be provided for the assertion to be valid, but the configuration of the claims is dependent upon the information which the 3rd party Relying Party needs. Claims Notes: • Saml assertions require at least one claim. • Saml1 assertions require URIs as the Claim Type. • The “NameID” claim type (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) is unique in that it is parsed out internally as the “Subject” of the assertion. Therefore, it does not count towards the 1 claim required. 1. To add a new claim, from the Relying Party Page → Click on the arrow to expand your newly added Relying Party → Click Add Relying Party Claim ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 17 of 41
2. Add Relying Party Claim provided by the 3rd party vendor into the Relying Party Claim Maintenance screen → Save The table describes the Relying Party Claim Fields. Table describing Relying Party Claim Fields Field Name Description Example Claim Type An identifier which the Relying Party http://schemas.xmlsoap.org/ws/20 will use to identify the claim on the 05/05/identity/claims/nameidentifi receiving end. Specific to each er Relying Party. Skyward Field The data of the Skyward User to send NameID in the claim. Description Helpful display field for the generated Name ID of User metadata. Name Format Almost always the default (shown in urn:oasis:names:tc:SAML:2.0:attr the example). Other values may be name-format:basic found @ http://docs.oasis- open.org/security/saml/v2.0/saml- core-2.0-os.pdf section 8.2. Next Step: Test Relying Party Configuration(s) ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 18 of 41
Configure Common Relying Parties Michigan MiLearn Configuration Configuring SkySTS as an IdP for Michigan MiLearn Relying Party and Relying Party Claims must be configured for SkySTS to send assertions to the MiLearn application. The configuration for MiLearn will be consistent across all installations and is listed below. For help adding the Relying Party information SMS 2.0, please refer to Add Relying Party Configuration(s). Michigan MiLearn Relying Party Information Please note: The Relying Party must be named “MiLearn” for the links within Skyward to be generated correctly. • Name: MiLearn • Display Name: Michigan DoubleLine Partners • Entity Id: https://adfs.midatahub.org/adfs/ls/ • SSO URL: https://adfs.midatahub.org/adfs/ls/ • Login URL: https://sport.mde.state.mi.us/AuthServices • Require User to Specify Role: True • Sign Message: True • Sign Assertion: False • Use Blank URI Reference: True • Federation Protocol: SAML2 ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 19 of 41
Michigan MiLearn Required Claims For help adding the Relying Party information SMS 2.0, please refer to Add Relying Party Claim(s) • Claim 1 o Claim Type: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier o Skyward Field: NameId o Description: Name ID of User o Name Format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic • Claim 2 o Claim Type: http://mde.skyward.com/claims/DistrictId o Skyward Field: District Code o Description: Display Code of the User o Name Format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic • Claim 3 o Claim Type: http://mde.skyward.com/claims/Role o Skyward Field: Role o Description: Role of User o Name Format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic • Claim 4 o Claim Type: http://mde.skyward.com/claims/UniqueId o Skyward Field: EDFI UniqueID o Description: EDFI Unique ID o Name Format: urn:oasis:names:tc:SAML:2.0:attrname-format:basic Michigan MiLearn Setup and Training Manual Next Step for MiLearn: Now that you have added MiLearn to your SkySTS configuration, please reference the Ed-Fi 3.1 Setup Guide for instructions on testing the MiLearn Integration. Ed-Fi 3.1 Setup Guide ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 20 of 41
SMS 2.0 to a remote Identity Provider Configuration This section is for customers that want Web users to authenticate to SMS 2.0 using credentials from a 3rd Party Identity Provider, such as Office 365 (Azure), ClassLink, Google, or other 3rd Party using SAML. 1. The first step is to create the 3rd Party Identity Provider SAML application(s) using the 3rd Party’s configuration tool. For examples of common 3rd Party SAML Application(s) jump to → Configure Google SAML Application(s) or Configure Azure / Office 365 SAML Applications. For other 3rd Party’s reference, the vendors instructions for creating the SAML Application then continue to SMS 2.0 Identity Provider Configuration ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 21 of 41
Configure Google SAML Application(s) Configuration of your Google SAML App within Google Admin is the responsibility of the customer, Skyward IT Services can help as a billable consulting service. If you are interested in billable consulting services please submit an IT Services Service Call using the Support Center (Customer Login Required) or contact Tom Kellnhauser. The Google link describing the steps to create a custom SAML application in Google Admin Console is found here: https://support.google.com/a/answer/6087519?hl=en You will want to open the SkySTS Base URL information page while adding the custom SAML Application. Ex. https://skyward.yourschool.org/SkySTS The For Configuring (blue) section of the Identity Provider section holds information that you will need to copy/paste to the SAML application fields during setup. Information when creating custom SAML App in Google Admin 1. Identity Provider Details Suggested Field Values: • ACS URL*: Enter your Assertion Consumer Service URL from SkySTS • Entity ID: Enter your Entity ID URL from SkySTS • Start URL: Leave Blank • Certificate: Leave Default Google Certificate listed • Signed Response: Enable (Checkbox checked) • Name ID1: Basic Information / Primary Email • Name ID Format: EMAIL 1The Name ID is how Google and Skyward match up the SSO users. A common config is to match the Primary Email, which requires both systems to have the same email address entered for your SSO users. ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 22 of 41
2. Below the Certificate name, click Manage Certificates → Click Download IDP Metadata → Save as an.xml file → Open the.XML file in a text editor (Notepad). You will copy and paste this information when creating the SMS 2.0 Identity Provider for Google. Note: If Google changes their Metadata information, it will break the SSO with Skyward until the new Metadata XML is updated in the Skyward IdP Maintenance screen. Next Step: Configure the Identity Provider in SMS 2.0 → SMS 2.0 Identity Provider Configuration ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 23 of 41
Configure Azure / Office 365 SAML Applications Configuration of your SAML App within Azure Portal is the responsibility of the customer, Skyward IT Services can help as a billable consulting service. If you are interested in billable consulting services please submit an IT Services Service Call using the Support Center (Customer Login Required) or contact Tom Kellnhauser. The Microsoft link describing the steps to create a non-gallery SAML application in Azure Portal is found here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single- sign-on-non-gallery-applications You will want to open the SkySTS Base URL information page while adding the custom SAML Application. Ex. https://skyward.yourschool.org/SkySTS The For Configuring (blue) section of the Identity Provider section holds information that you will need to copy/paste to the SAML application fields during setup. Information when creating custom SAML App in Azure Portal 1. Identity Provider Suggested Field Values • In Azure: Basic SAML Configuration o Entity ID: Enter your Entity ID URL from SkySTS o Reply URL (ACS URL): Enter your Assertion Consumer Service URL from SkySTS o Sign-On URL: After creating the Idp record in SMS 2.0, browse to the SkySTS Base URL, then in the Identity Providers area, use the Skyward Login URL for the Azure Idp for this field. o Relay State: Leave Blank o Logout URL: Enter your Single Logout Service URL from SkySTS • In Azure: User Attributes & Claims o 1NameID: Modify the NameID Claim Source Attribute: Typically the Email Address or Login Name (Login Name = user.onpremisessamaccountname) o Modify the NameID User Identifier format to Persistent 1The NameID is how Azure and Skyward match up the SSO users. A common configuration is to match the Primary Email or the Login Name, which means the user's values must match in both systems. Next Step: SMS 2.0 Identity Provider Configuration ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 24 of 41
SMS 2.0 Identity Provider Configuration This section is for adding and configuring Identity Providers (IdP) in SkySTS. The IdP information is supplied by the 3rd party that SMS 2.0 will use for authentication. 1. In SMS 2.0 navigate to Product Setup → Skyward Contact Access → District Setup → Configuration → Select Web Configuration → Scroll down towards the bottom of the page → Select the Identity Provider Configuration button 2. Select the Add Button to add a new IdP 3. Enter the Field Values listed below → Choose the Source Field → Save Note: An error validating the IdP(s) MetaData URLs might occur while saving, this is a cosmetic issue and can be ignored. ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 25 of 41
Common IdP Field Values (* fields are required) o *Name: Google or Azure (Arbitrary Name that Identifies the IdP) o *Status: Active o Metadata URL: Enter the 3rd Party IdP MetaData URL (Preferred) o Metadata XML: Only used when no MetaData URL is provided. For Google Copy/Paste the contents of the MetaData IDP file XML file. o *Identity Claim Type: Leave as NameID o *Source Field1: Choose the field for the NameID claim, this will be the data that is used to identify user’s between SMS 2.0 and the IdP. o Require Assertion Signed: ▪ For Google IdP: Disabled (Checkbox unchecked) ▪ For Azure /Office 365 IdP: Enabled (Checkbox checked) ▪ For Others, Match the 3rd Party IdP configuration o Require Message Signed: ▪ For Google IdP: Enabled (Checkbox checked) ▪ For Azure /Office 365 IdP: Disabled (Checkbox unchecked ▪ For Others, Match the 3rd Party IdP configuration o Auto Redirect2 Login Requests to this Identity Provider: Typically, unchecked 1The Source Field is important because it determines the data field that Skyward is using during the NameID claim. A common config is to match the Email Address, which requires both systems to have the same email address entered for your SSO users. Another common config is to match the Login Name, which requires both systems to have the same login name entered for your SSO users. 2Auto-redirect if checked means when running the SMS Web URL, the system will automatically redirect to the IdP Login. Use with caution. • If the user is logged into the IdP on a device, then that the user will automatically be logged into SMS using the same IdP credentials with no intervention from the user. • If the user is NOT logged into the IdP on the device then the IdP logon screen will display, and the user will enter their IdP credentials to authenticate to the SMS 2.0 Web application. The following table further describes the IdP Fields. Field Name Description Example Name A unique name for the IdP Office 365 IdP or Google Status The status of the IdP Active (default) or Inactive ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 26 of 41
Metadata URL IdP Metadata URL - Entering a Ex: https://FQDN/path/to/metadata Metadata URL is preferred vs. directly adding the Metadata XML. A Metadata URL will dynamically update if the Metadata from the Remote IdP changes. Metadata XML IdP Metadata – Required if the Use ONLY if the metadata URL Remote IdP does not provide a cannot be supplied). If you enter the Metadata URL. Metadata XML and the Remote IdP changes their Metadata, it will break the SSO until the new Metadata XML is updated in the IdP Maintenance screen. Identity Claim Identity claim used between SMS 2.0 NameId Default Value Type and the IdP Identity Source Choose the SMS 2.0 Database Source Default SMS 2.0 Database field: field used that will be used in the Internal Name Identifier (NameID) claim. The data in the field you choose is used to match the data in the Other fields available: claim from the remote IdP. Login Name (DUSERID) Alphakey Email Address (NameEmail) Require Either a Signed Assertion or Signed Signed Assertion should be enabled Assertion Message is required. by default Signed Require Message Either a Signed Assertion or Signed Signed Messages should be disabled Signed Messaged is required. by default. Auto-Redirect Auto redirects login requests to this Disabled by default, if there are Login Requests IdP, instead of showing the SkySTS multiple IdP records this option can Skyward login page where an IdP only be selected for one IdP record. button exists. 4. Obtain the SSO URL for your IdP by browsing to your SkySTS Base URL → in the upper right-hand corner → click the button to refresh your Identity Providers. Note: If the screen displays an error → click your browser refresh button. Scroll down to the Identity Providers section, the Skyward Login URL is your SSO URL 5. In SMS 2.0 navigate to Product Setup → Skyward Contact Access → District Setup → Configuration → Select Web Configuration → Scroll down to the Single Sign-On section → enter the SSO URL for your IdP. Next Step: Configure which groups of users can log in using the Identity Provider → Configure User Login Option(s) in SMS 2.0 ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 27 of 41
Configure User Login Option(s) in SMS 2.0 This section is for SMS 2.0 users logging into SMS 2.0 Web using credentials from a 3rd party IdP, such as Office 365 (Azure), ClassLink, or Google using SAML 2. The system allows you to define which user types can log in using SAML 2 (aka Federated Services) Note: Federated Services and LDAP authentication options can be used at the same time. This allows you flexibility, for example, you may configure Employees/Secured Users to login using LDAP and then configure a different group of users like Guardians or Students to login using SSO. 1. In SMS 2.0 navigate to Product Setup → Skyward Contact Access → District Setup → Configuration → Select Single Sign-On Configuration → Select the Federated Services radial option. Select the user types that are allowed to log in using SSO (aka: Federated Services) → Save Next Step: Test Logging in using SSO → Test Identity Provider Configurations ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 28 of 41
Testing Relying Party / IdP Configurations Test Relying Party Configuration(s) The main configuration of SkySTS is accomplished through an interface in the SMS 2.0 Web application. Changes to this configuration are pulled in during the initial boot of the SkySTS and refreshed periodically or by using the refresh buttons. The SkySTS page provides useful information, including links to the Metadata for each configured Relying Party, which can be consumed by that Relying Party for their configuration purposes. 1. From any web browser → Enter the Student/School URL https://{DNSNAME}/SkySTS (URLs not case sensitive) or Cloud Hosted customers will use the SkySTS URL provided by the hosting provider → the Manage Skyward Single Sign-On page will display. 2. Relying Party Test a. If the Relying Parties do not display, click the refresh Relying Parties button ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 29 of 41
b. After clicking on the Refresh Relying Parties button… Skyward as a Relying Party will always be displayed whether you are setting up Skyward to accept credentials from vendors such as Google or are going to use Skyward as the credentials for a vendor. c. To test the Relying Party login, click the Relying Parties Login URL → the 3rd Party’s Login Screen will display. d. To test the Relying Party Metadata → Click Relying Parties Metadata URL → an XML Metadata Screen like below should load. The Relying Party configuration in SMS 2.0 is completed. You will need to complete the IdP configuration in the 3rd Party Application. Optional Next Step: Create a District Link or Newsfeed SSO enable Link in Skyward → Adding an SSO Aware District Link in Family / Student Access or Adding an SSO Aware Newsfeed Link in SkyPort for All Users ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 30 of 41
Test Identity Provider Configuration(s) The main configuration of SkySTS is accomplished through an interface in the SMS 2.0 Web application. Changes to this configuration are pulled in during the initial boot of the SkySTS and refreshed periodically or by using the refresh buttons. The SkySTS page provides useful information, including links to the Metadata for each configured IdP, and commonly used URLs for each IdP. 1. From any web browser → Student/School URL https://{DNSNAME}/SkySTS (URLs not case sensitive) → The Manage Skyward Single Sign-On page will display. 2. Identity Provider Test a. If the Identity Provider(s) do not display, click the refresh Identity Providers button b. After clicking on the Refresh Relying Parties button… ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 31 of 41
3. If you configured an SSO Button URL you can test the Identity Provider using the SSO button found on the SMS 2.0 Login screen, or you can test using the SkySTS Testing Login page found at: https://{DNSNAME}/SkySTS/sso//Skyward/login If the testing was successful, Congratulations! This completes the setup for using SSO with a 3rd party remote Identity Provider. If you need further assistance go to Troubleshooting Identity Provider Configuration(s). ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 32 of 41
Troubleshooting Identity Provider Configuration(s) The best way to diagnose configuration issues is to get a SAML Trace of the failure. To gather a SAML Trace using your Web Browser you can follow these steps. 1. Install a SAML trace extension in your web browser: The most useful information can be captured using a SAML trace extension added to your Web Browser, I use the SAML Chrome panel or the SAML-tracer for Chrome. There are other available if you have a preference or use a different web browser. 2. Hit F12 to display the developer tools in your browser, this will also allow you to see your SAML trace extension. 3. In the developer tools panel, locate the SAML tab extension you installed (example screenshot below) 4. Reproduce the SSO login issue to receiving an error message. 5. Locate the SAML in the SAML extension, select all and, copy the entire contents of each SAML entry to a text file(s). Repeat for each SAML entry. 6. Create an IT Services Service Call using Support Center and send the SAML trace text file(s) to Skyward. The SAML Trace typically will help us find the problem. Chrome Browser SAML Chrome Panel example: ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 33 of 41
Renewing the SSL Certificate SSL Certificates Usage There are 2 places the SSL certificate is used by the SkySTS. • The SkySTS WebSite Certificate configured in the IIS Web Server binding • SkySTS Application Certificate used signing the XML messages sent to Relying Parties configured in the SkySTS web.config configuration values. SkySTS Application Certificate supports the following Algorithms: • RSA-SHA1 • RSA-SHA256 • RSA-SHA384 • RSA-SHA512 DSA is not supported as it is also now deprecated. ECDSA is not currently supported. Install the new SSL Certificate using the SSL certificate vendor’s instructions for Windows IIS WebServers. SkySTS Application Certificate must be marked as exportable during the installation SkySTS WebSite Certificate Renewal To renew the SkySTS WebSite Certificate install the new SSL Certificate for IIS on the SkySTS Web Server(s). After installing the certificate, use the IIS Administration tool to modify the IIS HTTPS binding so that the binding uses the new certificate. Impact: If SkySTS WebSite SSL Certificate is from a vendor that is trusted by the end-user clients, the renewal will have no impact on your end-users. SkySTS Application Certificate Renewal To renew the SkySTS Application Certificate, make sure the new SSL certificate is installed or copied into the Windows Certificate Machine Store in the Personal folder on the SkySTS Web Server(s). You will then need to view the details of the certificate to obtain the thumbprint of the new certificate. This can be done using the MMC Console with the Certificate snap-in. The last step is to update [skyward]\SkySTS\Web.config configuration file using the new thumbprint as the SigningCertificateIdentifier. For details view the SkySTS Configuration Values. ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 34 of 41
Impact: The impact of an SSL Certificate renewal will depend on the SkySTS usage by the customer and largely on the 3rd party vendors ability to dynamically read the updated Metadata, specifically the certificate thumbprint will change. If the XML Metadata is statically configured by the 3rd party then this needs to be updated when the certificate is updated, if the vendor uses the Metadata URL and can dynamically read the certificate thumbprint change, then no action is required. In typical 3rd party IdP / SSO use cases, such as Google or Azure, the IdP doesn't use our Metadata or Metadata URL. SkySTS can also act as an IdP, and typically the 3rd Party would use either the static XML Metadata or the Metadata URL. If the 3rd Party XML Metadata was statically provided in the configuration, then it must be manually updated when the SSL certificate changes. SSL Certificate Permissions IIS requires permissions on both the certificate and the certificate’s private key. In some cases, you will need to manually add permissions to the private key. To do so, right-click the certificate in the store and select “All Tasks → Manage Private Keys”. Click “Add…”, and a new dialogue will open. In this dialogue, set the location as the current machine and the object name as “IIS AppPool\[NameOfAppPool]” as in the screenshot below. ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 35 of 41
Advanced Configuration Options Adding an SSO Aware District Link in Family / Student Access District Links allows you to create a link to a 3rd party application that uses SkySTS for Single Sign-On. Family / Student Access users can click a link in Family / Student access that automatically logs them into the 3rd party application using Skyward as the Identity Provider. This is common for 3rd party applications that are set up as relying parties. 1. Browse to Web Student Management → Student → Student Access → Setup → Configuration → District Link Setup → Click Add 2. Enter the Order → Enter the 3rd party SSO URL in the URL field → Enter your Link Text → Choose the entities → Choose your display options (Family Access / Student Access) → Enable the “Use SkySTS” advanced option → Save ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 36 of 41
Adding an SSO Aware Newsfeed Link in SkyPort for All Users Newsfeed Links allows you to create a link to a 3rd party application that uses SkySTS for Single Sign- On. All Users, including employees, can click a link in SkyPort that automatically logs them into the 3rd party application using SkySTS as the Identity Provider. This is common for 3rd party applications that are set up as relying parties. 1. Browse to Product Setup → Contact Access → District Setup → SkyPort Setup → Newsfeeds → Newsfeed Categories → Click Add → Example: SSO Links Note: It is important to set a widget number so newsfeeds of this category can be added to the dashboard and appear together in the same widget. 2. Next, browse to Product Setup → Contact Access → District Setup → SkyPort Setup → Newsfeeds → Newsfeeds → Click Add 3. Choose the Category → Enter the Summary, example: Registration Gateway Staff → Choose the Entities to Display For → Enable the Active setting → Choose your Display From / To dates → Enter the 3rd Party Vendors SSO URL → Enable the Use SkySTS setting → Enter Link Text / Details → Save ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 37 of 41
4. Next browse to Product Setup → Contact Access → District Setup → SkyPort Setup → District Widget Selection → Locate the Newsfeed Category (Example: SSO Links) → Select Display Widget Options → Save 5. The Widget will appear on the User’s SkyPort Dashboard like the example below. ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 38 of 41
Additional IIS Setup for Load Balancing SkySTS If you use multiple load-balanced SMS 2.0 Web Servers, please follow these steps to setup SkySTS for load balancing. SkySTS must be configured on all SMS 2.0 Web Servers that participate in load balancing. 1. Select one of the Skyward Web Servers that has SkySTS configured. Open the Administrative Tools Control Panel → Open the Internet Information Services (IIS) Manager. 2. Expand the IIS Server → Expand Sites → Expand the Skyward Web Site → Select SkySTS Application → Click on the Machine Key icon. 3. Under Validation Key → Uncheck the option to automatically Generate at Run Time → Uncheck the option to Generate a Unique Key for each application → Under Decryption Key → Uncheck the option to automatically Generate at Run Time → Uncheck the option to Generate a Unique Key for each application. ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 39 of 41
Configuring Multiple SkySTS Instances The template configuration file [skyward]\SkySTS\Web.config.template is setup to define multiple running instances of SkySTS for hosted sites. To run multiple SkySTS instances each instance of SkySTS must have a unique configuration section defined with a unique name. The IIS Virtual Application must match the name of the configuration section. For example, in a single instance installation, we would replace all mentions of “SkySTSCustomerOne” with the name of the actual customer, “SkySTSStevensPointWI” and set the configuration values for this customer within this configuration section. Once that is done we would replace all mentions of “SkySTSCustomerTwo” in the same manner. You can support as many instances of SkySTS on anyone IIS Web Server as you wish by adding additional configuration sections and values. In IIS you must create a SkySTS Virtual Application for each configuration section, for the example above you would need a SkySTS Virtual Application named “SkySTSStevensPointWI”. Customizing Login Pages You can add custom images and styling to the login page presented by SkySTS in much the same way as within SMS 2.0. Both a custom header and a custom footer for the page may be provided in the SkySTS web.config file The application folder contains some example styling to use as a template, but any valid URL may be supplied within the configuration section. However, it is recommended that the files be placed in the supplied folder to avoid cross-domain issues. The header and footer are displayed within the login page of the STS within Iframes on the page. ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 40 of 41
The following table describes the SkySTS configuration values in detail found in the [skyward]\SkySTS\Web.config file. SkySTS Configuration Values All relevant configuration settings are within the element you defined. The available configuration values are as follows: KEY DESCRIPTION EXAMPLE AppserverHost OpenEdge STUDB.skyward.com AppServer Host AppserverName OpenEdge asStuMon AppServer Name NameserverPort OpenEdge 5162 Nameserver Port SigningCertificateLocation Type of • Store (will use Machine Certificate certificate Store and lookup by thumbprint) storage • Resource (will use the certificate bundled with the application) • File (will use a certificate on the file system and lookup by path) SigningCertificateIdentifier Thumbprint or d9 0b 3f 2a f7 18 f3 f6 2a 46 df bc 44 path of 09 78 e3 0b f9 be 98 certificate SkywardCommunityIDLogDirectory Path in which to ?:\skyward\wrk\SkySTS store log files SkywardCommunityIDLogLevel Lowest level of • None logging to • ErrorOnly display • Basic • Verbose • Debug LoginHeaderURL Optional URL to /SkySTS/CustomHTML/Header.html a custom login page header LoginFooterURL Optional URL to / SkySTS a custom login /CustomHTML/Footer.html page footer ________________________________________________________________________________________________________ 02.11.2021 www.skyward.com Page 41 of 41
You can also read