LDAP/SAML Maintenance
Overview
This program is used to set up and maintain LDAP or SAML configurations for your TASS products.
The screen indicates the number of user mappings configured for each TASS product and whether the product has been LDAP or SAML enabled. A 'View' link is available against each of the TASS products in the 'Action' column.
Once LDAP or SAML is activated for a 'product', all users will be required to use their LDAP/SAML username and password to log in. Therefore, if a teacher or administrator does not have an LDAP/SAML account, they will no longer be able to log in to the 'product' by using their TASS code.
LDAP
LDAP stands for Lightweight Directory Access Protocol. It is a standard that can be used to map your TASS 'products' (TASS.web, Staff Kiosk, webBook, Parent Lounge/Parent Orbit and Student Café) users to LDAP-compliant directories such as Microsoft Active Directory, Apple Open Directory, Novell eDirectory or Jumpcloud.
If set up correctly, users can logon to their respective TASS 'products' using the same username and password they use to access the school's network. It also means that all the facilities for password protection, procedures and maintenance are handled by the respective LDAP provider.
Review specific guidance for:
SAML
SAML stands for Security Assertion Markup Language. It is a standard that can be used to map your TASS 'products' (TASS.web, Staff Kiosk, webBook, Parent Lounge/Parent Orbit and Student Café) users to Identity Providers such as Google, Microsoft ADFS, Azure AD, OneLogin or StudentNet.
If set up correctly, SAML will provide federated single sign-on for TASS products and portals. This means that users who have had their credentials already authenticated in another application can be automatically logged-into TASS 'products' without needing to re-enter their credentials. It also means that the logon experience plus all the facilities for password protection, procedures and maintenance are handled by the respective Identity Provider.
Review specific guidance for:
LDAP Tab
Very Important! Fill out the 'LDAP' tab first, test your connection, but do not click the 'Save' button until you have set your user mappings in place by using the 'Users' Tab.
For TASS.web, when the 'Root' User does not exist in the 'Users' tab, the 'LDAP' tab will be disabled. The 'Root' User must be mapped in the 'Users' tab for the 'LDAP' tab to be active.
To set up or maintain the LDAP configuration, click the 'Edit LDAP' icon at the top of the screen.
A 'Delete LDAP' icon is available on the 'LDAP' tab. This will delete the LDAP settings and therefore turn LDAP off for this 'product'.
The only reason you would delete your LDAP settings is if you have rebuilt your LDAP server and the LDAP configuration no longer exists.
Fields that require detailed information | |
|---|---|
Product Code | This indicates the TASS 'product' that you are setting up for LDAP integration. |
Sequence Number | For schools that operate multiple companies under a single instance of TASS, an LDAP configuration can be enabled for each company. (i.e. Enterprise enabled organisations with several schools). This indicates the record number of the LDAP configuration. If there is only one LDAP configuration, this field will display as '1'. |
LDAP Root | Specify the OU that TASS will search to find user accounts. Microsoft Active Directory Example: DC=ALPHACOLLEGE,DC=QLD,DC=EDU,DC=AU Jumpcloud Open Directory Example: ou=Users,o=59cdbbc6144e69142c0f253b,dc=jumpcloud,dc=com If using Jumpcloud, this is the 'LDAP Distinguished Name'. |
LDAP Server | This is either the IP address or DNS name of the LDAP server. For LDAPS, you must specify the fully-qualified DNS name of the LDAPS server. Microsoft Active Directory Example: activedirectory Jumpcloud Example: ldap.jumpcloud.com |
LDAP Filter | Enter the LDAP attribute that will represent the user's username. This would usually be set to 'sAMAccountName' for Active Directory, 'CN' for Apple Open Directory or Novell and 'uid' for Jumpcloud. |
LDAP Port | The port used for LDAP connections by your LDAP Server. For LDAP, this is usually 389. For LDAPS, this is usually 636. |
LDAP Admin User | The username for an account with 'read' permissions to the LDAP directory which will be used to search for users. Contrary to the name, it does not need (and should not have) administrative privileges. It needs to be specified as a fully distinguished name. It will be in a format similar to the below examples: CN: Container Name DC: Domain Controller OU: Organisational Unit uid: Unique Identifier Microsoft Active Directory Example: CN=tassldap,CN=users,DC=ALPHACOLLEGE,DC=QLD,DC=EDU,DC=AU Apple Open Directory Example: uid=tassldap,CN=users,DC=ALPHACOLLEGE,DC=QLD,DC=EDU,DC=AU Novell e-Directory Example: OU=users, o=yourOrganisation Jumpcloud Open Directory Example: uid=tassldap,ou=Users,o=59cdbbc6144e69142c0f253b,dc=jumpcloud,dc=com |
LDAP Password | Enter the password for the 'LDAP Admin User' specified above. For security purposes, this password will be encrypted and stored in the database. |
LDAP Secure | Leave blank if you are using LDAP (i.e. not LDAPS). Choose from the below options:
Microsoft Active Directory requires this option.
Google GSuite requires this option. You may be required to upload a server certificate using the KeyStore icon. |
Username (for testing purposes only) | This is for testing only. To test the settings, enter a valid LDAP username and select 'Test Connection', It will then return a message as to whether the settings are correct. |
Client Certificate |
This field is only used with LDAP Secure. A certificate only needs to be provided if this is required by your LDAPS server. Use the 'Browse' button to locate the LDAP Secure file. |
Client Cert Password |
This field is only used with LDAP Secure. Enter the password that is used to encrypt the Client Certificate. |
Enabled | Set this field to 'No' to disable the LDAP configuration. |
Once this detail has been completed click on the 'Test Connection' button.
If something is not set up correctly you will get a 'Test Connection was not successful' message. Check your settings.
If it is successful you will get a 'Test Connection was successful' message. Proceed to the 'Users Tab to set up the user mapping
Do not click the 'Save' button until your user mappings are completed.
KeyStore
You will only need to use this program if you are setting up LDAPS and a server certificate is required for authentication.
Click the 'KeyStore' icon button to:
Add a certificate to the Java KeyStore.
Access a list of certificates currently in the Java KeyStore.
Uninstall/reinstall certificates.
Add Certificate Tab
This tab enables you to upload a server certificate to enable TASS to 'trust' the connection to the LDAPS server. This will be required if your LDAPS server issues a self-signed certificate.
Fields that require detailed information | |
|---|---|
Certificate Alias | Enter a description for this certificate. |
Certificate File |
The certificate needs to be in either DER-encoded or Base64-encoded CER format. Use the 'Browse' button to locate the Client Certificate for use LDAP Secure. |
Existing Tab
This tab will display a list of all certificates in the Java Keystore.
A checkbox will be displayed in the 'Select' column for any certificates added to the Keystore using the 'Add Certificate' tab.
To uninstall the certificate, tick the checkbox and click 'Uninstall' to button at the bottom of the screen.
Reinstall Tab
This tab will display a list of certificates added to the Keystore using the 'Add Certificate' tab but are not currently in the Java Keystore.
To reinstall the certificate, tick the checkbox and click 'Reinstall' to button at the bottom of the screen.
Any certificates uninstalled from the 'Existing' tab will be listed here.
SAML Tab
To set up or maintain the SAML configuration, click the 'Edit SAML' icon at the top of the screen.
If your Identity Provider sends encrypted assertions/responses, you will need to obtain your own security certificate and record the 'Private Key'. Click the 'Add SP Private Key' button to enter the 'Private Key'.
If an 'SP Private Key' exists, a 'Clear SP Private Key' button will be available. Click this button to remove the 'SP Private Key' if required.
Fields that require detailed information | |
|---|---|
SP Entity ID | This field will display the product name for the SAML configuration. |
SP Endpoint | This is the URL of the TASS product used for SAML, derived from program System Admin > Utilities > Product Activation Maintenance, e.g. If a record does not exist for TASS.web, this URL will be derived from the For each product, only one 'Product Activation Maintenance' record can exist per company. If more than one exists, a warning message will be displayed. |
IDP Metadata URL | Enter the Metadata URL from your Identity Provider if one exists. When this field is populated, the 'Fetch IDP Metadata XML' button will become available. Clicking this button will give you the option to populate the below fields. |
IDP Metadata XML | This field can be populated by clicking the 'Fetch IDP Metadata XML' button and accepting the option to populate this field. Alternatively, paste the Metadata XML from your Identity Provider. |
Certificate (X.509) | This field can be populated by clicking the 'Fetch IDP Metadata XML' button and accepting the option to populate this field. Alternatively, click the 'Extract IDP Certificate (X.509)' button to populate this field. If your Identity Provider sends encrypted assertions/responses, you will need to obtain your own security certificate and paste the 'Public Key' in this field. An example of this would be for use with Microsoft ADFS. |
SP Metadata XML | This field can be populated by clicking the 'Fetch IDP Metadata XML' button and accepting the option to populate this field. Alternatively, click the 'Generate SP Metadata SML' button to populate this field. An XML file of the SP Metadata can be downloaded by clicking the 'Download SP Metadata XML'. An example of this would be for use with Microsoft ADFS. |
Enabled | Set this field to 'No' to disable the SAML configuration. An alert icon will appear when LDAP has already been enabled for this product. To enable SAML, the LDAP configuration will need to be disabled. |
Users Tab
This tab is used to map the users' TASS logon to their LDAP/SAML logon.
For TASS.web, where there are relatively few users, it is probably best to enter the mapping directly using the 'Add' button.
If using a Jumpcloud Open Directory, ensure each user has the option 'Enable as LDAP Bind DN' ticked in Jumpcloud.
Adding LDAP/SAML Mappings (One User at a Time)
Portal Code | This is the TASS user code. The program will check that this is a valid user for the TASS 'product' that you are using. Multiple records can be entered for the same Portal Code for Parent Lounge/Parent Orbit only. This enables schools to assign multiple usernames for the same Parent Code. |
LDAP/SAML Username | This is the LDAP/SAML user name. The program does not check that this account exists in your directory service, so care must be taken here |
CSV Upload (For Multiple Mappings)
For TASS 'products' such as Staff Kiosk, webBook, Parent Lounge/Parent Orbit and Student Café that have a large number of users, it may be better to use the upload from CSV File option.
Step 1:
Prepare an Excel® spreadsheet. In column 'A', place the users' entity code in TASS (e.g. Teacher Code, Parent Code or Student Code), and in column B place the users' LDAP/SAML username.
Step 2:
Save the Excel® spreadsheet as a CSV file.
Step 3:
Click the 'CSV Upload' button and browse to where you saved the CSV File in Step 2.
Click 'Save' to upload the LDAP/SAML mappings.
The upload will check for any TASS/Portal user who already has a mapping. It will display a 'user name in use' message against these users. You will need to delete these users' LDAP/SAML mappings before proceeding.
The upload program will also produce a warning where there is a user in the CSV file but there not a corresponding TASS/Portal user. It will display a 'portal code invalid' message against invalid users. If this happens you will either have to remove these users from the CSV file or add them as a valid TASS/Portal user.
Bulk Delete
Some schools prefer to delete all LDAP/SAML mappings for a 'product' at the end of each year and upload a 'fresh' CSV file with all users for the new year.
If your new CSV Upload file is to replace all existing mappings for this 'product' (TASS, Staff Kiosk, webBook, Parent Lounge/Parent Orbit or Student Café etc.), use the 'Bulk Delete' icon at the top of the screen to delete all existing mappings before uploading.
Test and Save
Once you have completed your mappings go back to the 'General' tab and if you have completed all of the details and tested the connection click 'Save'.