myBlueprint supports Single Sign On (SSO) integration to provide users a seamless login experience with existing Account Management System credentials. Account Management System refers to the user authentication and authorization system that allows users to access school computers. An example of an Account Management System is Microsoft Active Directory (AD).
Account Provisioning and Authentication
myBlueprint SSO allows for both account provisioning and authentication. For existing partners, or partners doing data integration, SSO can be used for authenticating the user, and providing a seamless login experience.
For new partners, SSO can be used to create new myBlueprint accounts for your users. We use the information provided by your IdP to pre-populate the signup form to simplify the account creation process.
As an internet based application, myBlueprint is to be considered a SP (Service Provider) in the context of SSO. It facilitates SSO by delegating user login to the Account Management System’s IdP (Identity Provider). The following are required for successful integration:
- The IdP must be publicly accessible on the Internet
- The IdP must authenticate the user with the Account Management System
- The IdP must support SAML 2.0, or WS-Federation
- A trust must be setup between IdP and SP through either exchange of metadata or secret keys/configurations
- The IdP must be configured to provide the claims outlined in Parameter Specifications
Data Integration and Single Sign On
For our partners doing data integration, SSO allows users to seamlessly login to their account with their course records imported. Many of the data fields outlined below are unnecessary for the imported users as the data is already imported from your Student Information System.
The only required parameter is the User ID, which will be a unique ID that corresponds with an entry from your SIS.
The other fields are optional; however, we strongly recommend providing the Email claim as well to support staff SSO. Please note, without the email, existing staff accounts cannot be linked to an SSO credential.
(Required for staff account provisioning)
Unique School ID
If your data or claimtype does not conform to the exact format specified, speak to your myBlueprint IT contact.
Known Working IdPs
ADFS/SAML 2.0 Integration Steps
myBlueprint supports any IdP implementing SAML 2.0. To proceed with setting up SSO:
We will review and complete testing to ensure the SSO process works correctly. Depending on the parameters provided, users may be required to enter additional information upon first login.
myBlueprint Landing Page
- A myBlueprint Landing Page (i.e. myBlueprint.ca/District) provides a “Login with school account” button.
- Users can also click School Account Login at myBlueprint.ca and select their district name from the drop-down menu, if SSO is enabled.
- This opens a dialogue with the District Login Screen provided by the District requesting users enter their District credentials (username/email and password). Entering the correct credentials directs the users into their myBlueprint account.
- Users can also be brought directly into their myBlueprint account if they are already authenticated.
Direct SSO Login
If you have a student (or staff) portal where users are already logged in with their SSO credentials, we can provide you a Direct SSO Login URL that will directly log users into their myBlueprint account. This option is an excellent way to provide seamless access to their myBlueprint account - we recommend embedding it in any web portal, shared bookmarks, or tech resource pages used by your district. To obtain your direct login URL if you already have SSO set up, please contact myBlueprint Support.
Azure AD Setup Guide
- Azure AD integration will require Azure AD Premium to support adding an unlisted application.
- Access your Azure Active Directory and Create your own application
- Name it myBlueprint and click Create
- Click Single Sign-on in the left-hand nav menu
- Click SAML
- Set up the Basic SAML Configuration as follows - ensure formatting is an exact match
- Identifier: http://sts.myblueprint.ca/adfs/services/trust
- Reply URL: https://sts.myblueprint.ca/adfs/ls/
- Click on the pencil icon to edit 'step 2', User Attributes and Claims, then configure your claims (refer to Parameter Specifications)
- Map Student Number to Azure AD field that contains student’s Provincial Student#, or other unique ID number from your SIS. Please advise your implementation contact which ID will be used.
- For provincial student number, use the claimtype http://mybp/claims/ministryid
- For school district / SIS local student ID, use the claimtype http://mybp/claims/integrationid
- Copy the App Federation Metadata URL (see below) and send it to your myBlueprint contact, along with a screenshot of the Attributes & Claims panel referenced above.
- Please copy and paste the metadata URL into an email, rather than sending the XML file, as this will allow us to automatically update the signing certificate when required.
- Ensure that all users of the myBlueprint application are granted access in Azure: all students in grades licensed by the district, and all teachers/counsellors or other staff working with the platform.
- Alternately, you can use the built-in ‘everyone’ group, and staff access will still be subject to admin approval within the myBlueprint application.
- For instructions, refer to:
G Suite Setup Guide
- Click Continue, then set up the Service Provider details as follows.
- ACS URL: https://sts.myblueprint.ca/adfs/ls/
- Entity ID: http://sts.myblueprint.ca/adfs/services/trust
- The Name ID can be any value, as long as it is unique for all users. Unless you wish to use a different value for your name ID, you can leave it set as the default (primary email, format 'undefined').
- Click Continue, then configure your claims on the Attribute Mapping page. The main required claims to select under 'Google Directory Attributes' are: primary email, first name, and last name.
- For the App attributes, enter the full URL-format ClaimType for the corresponding parameter as detailed in the Parameter Specifications section (for example, Primary Email > http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
- The application is OFF for everyone by default - enable it for all users by clicking User access, selecting ON for Everyone and clicking SAVE