SSO Maintenance
Overview
The ‘SSO Maintenance’ program allows your school’s TASS.web administrator to define third-party apps requesting SSO tokens, configure token properties, manage username mappings manually or via CSV, and ensure secure, token-based single sign-on across systems.
SSO provides seamless, secure access to TASS products for users authenticated via the school's network. You can configure SSO User Mappings for TASS products: TASS.web, Staff Kiosk (including Staff Orbit), Parent Lounge (including Parent Orbit), and Student Cafe.
Important!
Read the Single Sign On (SSO) – Developer Implementation Guide before using this program. The guide is password-protected for security. Contact TASS Customer Care to request access.
This program can be accessed by navigating to TASS.web System Admin > Users.
Important!
Only users with TASS.web administration permissions can access this program. Schools must establish procedures to control user access for data security purposes.
User Security Permissions
Access to this program is controlled by the ‘SSO Maintenance’ security point in TASS.web System Admin > Users > User Maintenance or TASS.web System Admin > Users > Security Role Permissions. Contact your school administrator for access.
About Single Sign On
Single sign-on (SSO) is a method of access control for multiple, related but independent software systems.
In an SSO environment, once a user logs in for the first time, they can access all systems without being prompted to log in again. TASS.web and/or portals will provide the SSO capability via a token-based method.
In summary, the process in which SSO will work is outlined as follows:
The portal user will authenticate through the school's network or other systems. It is likely that the user will authenticate with a username different from the one they have with TASS.
The school's application would then communicate with a TASS.web service, passing across variables including a secure key, product ID and user ID.
TASS.web will look up the secure key, product ID, and username, and, if valid, create a login token.
The school's portal will then launch the TASS portal, passing across the login token. The portal will check the login token to ensure it is valid. If it is correct, enable the user to access the product.
Adding an SSO Application
The purpose of this program is to allow your school to:
Define the third-party application that can make requests to TASS for an SSO token.
Configure some properties regarding the issuing of the SSO token for each third-party application (including the lifetime of the token).
Configure the username mappings between users in TASS (or the portal) and the usernames that third-party applications use to identify users.
Each application only needs to be defined once. Once defined, it will be available for use with any TASS product or portal that requires login credentials.
To add a new application, click the 'Add SSO Application' button to display a blank 'SSO Application Details' screen.
Fields that require further explanation | |
Application Code | This is a code to identify the third-party application, e.g. MSI. |
Application Description | The name of the third-party application, e.g. My School Intranet. |
Application Server | The application server name or application IP address. If this field is populated, requests for SSO tokens for this application will only be processed when they originate from this server name or IP address. |
Secure Key | A password that will need to be included within the web service request (for a token) to authenticate the connection. It is encrypted in the database and on the screen. |
Token Expiry Seconds | The time in seconds that a token will remain active once issued. |
Single-Use Flag | Select 'Yes' for the token will be destroyed once it is used. Select ‘No’ for the token not to be destroyed. |
Enabled Flag | Select ‘Yes’ to enable token requests from this third-party application. Select ‘No’ to disable token requests from this third-party application. |
When satisfied with your entry, click 'Save' to commit your changes to the database, or 'Cancel' to return to the selection screens.
Adding User Mappings for an SSO Application
Once a third party application has been added (as detailed above) you can then add the mappings between the users' names in that application and the TASS.web user name.
Example
The third-party application 'My School Intranet' lists the Bell family under the code 'bellm'. This can be mapped to the TASS.web user code 'BELL001'.
Each third-party application can have a different user name mapped to the same TASS.web user code.
Example
The third-party application 'ABC Portal' has the Bell family with a code of 'bellm@nowhere.com'. This can be mapped to the TASS.web user code 'BELL001'.
To add a user mapping for an application, click the 'User Mappings' link in the Action column to display a blank 'SSO User Mappings' screen.
Use the 'Product' filter to display the user mappings for a specific portal. This can also be used to delete mappings for a 'Product' by clicking the 'All' button, then clicking the 'Delete' button.
You can add individual SSO user mappings using the ‘Add SSO Mapping’ button or upload mappings in bulk via CSV using the ‘CSV Upload’ button.
Adding Individual SSO User Mappings
If there are only a few users to map, click the 'Add SSO Mapping' button and enter details into the following fields:
Fields that require further explanation | |
TASS/Portal | The dropdown list will include the TASS applications that are currently SSO-enabled. This program references ‘Teacher Kiosk'. From version 53, 'Teacher Kiosk' was renamed to 'Staff Kiosk’. |
TASS/Portal Username | This is the TASS user code. The program will verify that this is a valid user for the TASS product you are using, e.g., BELL001. To map users, a user account and username must exist in TASS.web with the required product access enabled:
|
SFA Number | This field is only relevant for Parent Lounge SSO User Mappings. If this parent has been set up to have split family access in TASS.web Student Admin > Parent Records > Setup Information > Parent Lounge Setup on the 'Split Family Access' tab, enter the SFA Number assigned to their record. The program will check that this is a valid Parent Code/SFA combination. |
SSO Application User Name | This is the user code in the third-party application. |
Adding Bulk SSO User Mappings
Where there are a large number of users to map, it may be better to use the upload from a CSV File option. To do this, you will need to create a CSV file with the following columns.
CSV Column | Description |
Column A | TASS/Portal Username. (Refer to details above.) |
Column B | SFA Number. (Refer to details above.) |
Column C | SSO Application User Name. (Refer to details above.) |
Then, select the 'CSV Upload' button.
* TASS / Portal | Select the TASS/Portal from the dropdown list where you will upload the mappings. Options include TASS.web, Staff Kiosk (including Staff Orbit), Parent Lounge (including Parent Orbit), and Student Cafe. This picklist references ‘webBook’. The webBook program was decommissioned from v01.060.01.200, and features previously offered by this program are now available in Staff Kiosk Assessment. |
* File Name | Click ‘Choose File’ to select the CSV file that you created. |
Then, click the 'Next' button to upload the SSO mappings.
The upload will check that the TASS user code is valid and that there is no existing mapping for this TASS user code/third-party application combination. You will need to rectify these errors in your CSV file and retry the upload.