SSO Maintenance
Overview
Single sign-on (SSO) is a method of access control for multiple, related but independent software systems.
Under an SSO environment, once the user has logged in for the first time, they are then able to gain access to all systems without being prompted to log in again. TASS.web and/or portals will provide the SSO capability via a token-based method.
In summary, the process in which SSO will work is outlined as follows:
The portal user will authenticate through the school's network or other systems. It is likely that the user will authenticate with a username that is different from the username that they would have with TASS.
The school's application would then communicate with a TASS web service, passing across variables including a secure key, product id and user id.
TASS.web will look up the secure key, product id and username, and if valid will create a log-in token.
The school's portal will then launch the TASS portal passing across the login token. The portal will check the login token to ensure it is valid. If it is correct, enable the user to access the product.
It is recommended that you read the 'Single Sign On (SSO) – Developer Implementation Guide' before attempting to use this program for the first time.
The information contained in the guide is protected by a password for security reasons.
Please contact the TASS helpdesk for a password before clicking on the link above.
Adding an SSO Application
The purpose of this program is to allow your school to:
Define the 3rd party applications that are able to make requests to TASS for an SSO token.
Configure some properties regarding the issuing of the SSO token for each 3rd party application (including the lifetime of the token).
Configure the username mappings between users in TASS (or portal) and the username that the 3rd party applications use to identify the user.
Each application only needs to be defined once. Once it has been defined, it will then be available for use with any of the TASS products or portals that require login credentials.
To add a new application, click the 'Add SSO Application' button to display a blank 'SSO Application Details' screen.
Fields that require detailed information | |
|---|---|
Application Code | This is a code to identify the third party application, e.g. MSI. |
Application Description | The name of the third-party application, e.g. My School Intranet. |
Application Server | The application server name or application IP address. If this field is populated, then requests for SSO tokens for this application will only be processed when they have originated from this server name or IP address. |
Secure Key | A password that will need to be included within the web service request (for a token) to authenticate the connection. It is encrypted in the database and on the screen. |
Token Expiry Seconds | The time in minutes that a token will remain active once issued. |
Single-Use Flag | Y = Token will be destroyed once it is used. N = Token will not be destroyed. |
Enabled Flag | Y = web service requests for a token for this third party application is enabled. N = web service requests for a token for this third party application is disabled. |
When satisfied with your entry, click the 'Save' button to commit your changes to the database or 'Cancel' to return to the selection screens.
Adding User Mappings for an SSO Application
Once a third party application has been added (as detailed above) you can then add the mappings between the users' names in that application and the TASS.web user name.
Example: The third party application 'My School Intranet' has the Bell family with a code of 'bellm'. This can be mapped to the TASS.web user code 'BELL001'.
Each third party application can have a different user name mapped to the same TASS.web user code.
Example: The third party application 'ABC Portal' has the Bell family with a code of 'bellm@nowhere.com'. This can be mapped to the TASS.web user code 'BELL001'.
To add a user mapping for an application, click the 'User Mappings' link to display a blank 'SSO User Mappings' screen.
Use the 'Product' filter to display the user mappings for a specific portal. This can be used to delete mappings for a 'Product' by clicking the 'All' button then click the 'Delete' button.
If there is a relatively small number of users to map it is probably best to enter the mappings directly using the 'Add SSO Mapping' button.
Fields that require detailed information | |
|---|---|
TASS/Portal | The dropdown list will include the TASS applications that are currently SSO enabled. |
TASS/Portal Username | This is the TASS user code. The program will check that this is a valid user for the TASS product that you are using, e.g. BELL001. |
SFA Number | This field is only relevant for Parent Lounge. If this parent has been set up to have split family access in TASS.web program Student Admin > Parent Records > Setup Information > Parent Lounge Setup on the 'Split Family Access' tab, enter the SFA Number assigned to their record. The program will check that this is a valid Parent Code/SFA combination. |
SSO Application User Name | This is the user code in the third party application. |
Where there are a large number of users to map it may be better to use the upload from a CSV File option:
Create an Excel spreadsheet with the following columns | |
|---|---|
Column A | TASS/Portal Username. (Refer to details above.) |
Column B | SFA Number. (Refer to details above.) |
Column C | SSO Application User Name. (Refer to details above.) |
Then save the excel spreadsheet as a CSV file.
Use the 'CSV Upload' button.
Pick the TASS/Portal that you will be uploading the mappings into from the dropdown list.
Browse to where you saved the CSV File.
Click the 'Next' button and the program will upload the SSO mappings.
The upload will check that the TASS user code is valid and that there is not already a mapping for this TASS user code/Third Party application combination. You will need to rectify these errors in your CSV file and retry the upload.