myBlueprint supports Single Sign On (SSO) integration to provide users a seamless login experience with existing Account Management System credentials. Account Management System refers to the user authentication and authorization system that allows users to access school computers. An example of an Account Management System is Microsoft Active Directory (AD).
Account Provisioning and Authentication
myBlueprint SSO allows for both account provisioning and authentication. For existing partners, or partners doing data integration, SSO can be used for authenticating the user, and providing a seamless login experience.
For new partners, SSO can be used to create new myBlueprint accounts for your users. We use the information provided by your IdP to pre-populate the signup form to simplify the account creation process.
Direct Integration
As an internet based application, myBlueprint is to be considered a SP (Service Provider) in the context of SSO. It facilitates SSO by delegating user login to the Account Management System’s IdP (Identity Provider). The following are required for successful integration:
- The IdP must be publicly accessible on the Internet
- The IdP must authenticate the user with the Account Management System
- The IdP must support SAML 2.0, or WS-Federation
- A trust must be setup between IdP and SP through either exchange of metadata or secret keys/configurations
- The IdP must be configured to provide the claims outlined in Parameter Specifications
Data Integration and Single Sign On
For our partners doing data integration, SSO allows users to seamlessly login to their account with their course records imported. Many of the data fields outlined below are unnecessary for the imported users as the data is already imported from your Student Information System.
The only required parameter is the User ID, which will be a unique ID that corresponds with an entry from your SIS.
The other fields are optional; however, we strongly recommend providing the Email claim as well to support staff SSO. Please note, without the email, existing staff accounts cannot be linked to an SSO credential.
Parameter Specifications
Parameter | Required | Info | ClaimType (Suggested) |
User ID | Required | Unique ID. Can be any unique string | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
Student ID | Required for Students (Not used for Staff) | Ministry Provincial Education Number or SIS Student Number | http://mybp/claims/ministryid http://mybp/claims/integrationid http://mybp/claims/studentnumber |
User Type | Optional (Required for staff account provisioning) | “Student” (Default) “Elementary Teacher” “Secondary Teacher” “Secondary Teacher Guidance” “Parent” “Teacher”[ | http://mybp/claims/usertype |
School ID | Optional (Required for staff account provisioning) | Unique School ID | http://mybp/claims/schoolid |
Optional (Required to link existing staff accounts) | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | ||
First Name | Optional | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | |
Last Name | Optional | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | |
Grade | Optional (Recommended) | 0, 1, 2, etc. | http://mybp/claims/grade |
Birthday | Optional | yyyy-MM-dd yyyy-M-d MM/dd/yyyy M/d/yyyy | http://mybp/claims/birthday |
Gender | Optional | 1: Male 2: Female | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender |
Salutation | Optional for Staff | Mr, Mrs, Miss, Ms, Dr | http://mybp/claims/salutation |
If your data or claimtype does not conform to the exact format specified, speak to your myBlueprint IT contact.
Known Working IdPs
ADFS (Active Directory Federated Services) as IdP, authenticate with AD (Active Directory)
Azure Active Directory as IdP, through SAML 2.0
See below for details on setting up integration through Azure AD.
Google GSuite as IdP, through SAML 2.0
See below for details on setting up integration through GSuite
ADFS/SAML 2.0 Integration Steps
myBlueprint supports any IdP implementing SAML 2.0. To proceed with setting up SSO:
- Access myBlueprint’s security token service metadata (link below) to be used when setting up trust between your IdP and myBlueprint
https://sts.myblueprint.ca/FederationMetadata/2007-06/FederationMetadata.xml
- Configure your IdP to send the required claims
- Send your myBlueprint IT contact your IdP Metadata
- Provide an SSO testing account (username/email and password)
We will review and complete testing to ensure the SSO process works correctly. Depending on the parameters provided, users may be required to enter additional information upon first login.
Implementation Options
myBlueprint Landing Page
A myBlueprint Landing Page (i.e. myBlueprint.ca/District) provides a “Login with school account” button.
Once clicked, this button opens a dialogue with the District Login Screen provided by the District requesting users enter their District credentials (username/email and password). Entering the correct credentials directs the users into their myBlueprint account.
This option is like using your Facebook or Google credentials to log in to another online service.
Direct SSO Login
If you have a student (or staff) portal where users are already logged in with their SSO credentials, we can provide you a Direct SSO Login URL that will directly log users into their myBlueprint account. This option is an excellent way to provide seamless access to their myBlueprint account. To obtain your direct login URL if you already have SSO set up, please contact myBlueprint Support.
Azure AD Setup Guide
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps
- Azure AD integration will require Azure AD Premium to support adding an unlisted application.
- Access your Azure Active Directory and Create your own application
- Name it myBlueprint and click Create
- Set up the Basic SAML Configuration as follows
- Identifier: http://sts.myblueprint.ca/adfs/services/trust
- Reply URL: https://sts.myblueprint.ca/adfs/ls/
- Configure your claims (refer to Parameter Specifications)
- Map Student Number to Azure AD field that contains student’s Provincial Student#, or other unique ID number from your SIS
- Copy the App Federation Metadata URL (see below) and send it to your myBlueprint contact, along with a screenshot of the Attributes & Claims panel shown above.
- Please copy and paste the metadata URL into an email, rather than sending the XML file, as this will allow us to automatically update the signing certificate when required.
- Ensure that all users of the myBlueprint application are granted access in Azure:
- all students in grades licensed by the district, and all teachers/counsellors or other staff working with the platform.
- Alternately, you can use the built-in ‘everyone’ group, and staff access will still be subject to admin approval within the myBlueprint application.
- For instructions, refer to:
- https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-assign-users#assign-a-user-account-to-an-enterprise-application
- https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50105-user-not-assigned-role - users not granted access will receive this error code when signing in
G Suite Setup Guide
Google Support Article for reference
- Navigate to your G Suite Admin page.
- Add a new Custom App
- Download the IdP Metadata file, and send this to myBlueprint Support
- Set up the Service Provider details as follows. The Name ID can be any value, as long as it is unique for all users.
- ACS URL: https://sts.myblueprint.ca/adfs/ls/
- Entity ID: http://sts.myblueprint.ca/adfs/services/trust
- Configure your claims. Please use the full URL-format claim type for the attribute name as detailed in the Parameter Specifications section
