Single Sign-on (SSO) allows schools to maintain centralized user authentication, and enables staff, students and even parents to login to Orah using this centralized system. Orah supports the SAML 2.0 protocol which is compatible with most user-directory systems, such as Active Directory or Google Apps.
If you would like to activate SSO functionality in your Orah account, please reach out to your Success Manager directly.
Provider Setup Guides
The following are links to specific setup guides, with more detailed instructions, created for the most common Identity Providers:
Otherwise, follow the general setup guide below.
General Setup Guide
The process for enabling SSO for users is as follows; refer to the Reference section below for complete documentation.
Note: Within the SAML terminology, the centralized authentication server is the Identity Provider (IdP) and Orah is the Service Provider (SP).
1 - Create a new Authentication Profile
Within the Admin Console > Authentication section of the Orah staff web application, create a new Authentication Profile.
2 - Add Orah to your Identity Provider Configuration
To allow Orah to authenticate against your user directory system, use the Profile Values from your newly created Authentication Profile. Either import the settings using the SP Entity ID metadata.xml or enter the values manually.
The NameID for Orah must always be an email that the user has inbox access to
Enable Assertion Signatures
If you are presented with enable encryption option of some sort, make sure to disable encryption (HTTPS is used instead)
If you don't use metadata.xml, manually fill out:
SP Entity ID
SP Login/Logout URL
[Optionally] SP Signing Certificate
Figure 1. Screenshot of a Microsoft Azure Active Directory configured to working with Orah. Note that the metadata.xml file is actually located at the URL given by Entity ID.
3 - Complete Authentication Profile
Copy the Login URL and Public Certificate (required) from your IdP settings into the Orah Authentication Profile.
Use the Test Run button to test the configuration by logging in as any user in your user directory. A page indicating success means you can proceed to the next step.
Choose the user types this profile applies to and disable Orah login for any user types you do not wish to have a standard username/password login.
Figure 2. Screenshot of Microsoft Azure Active Directory displaying the fields required to complete configuration. Copy SAML Single Sign-On Service URL and SAML Signing Certificate - Base64 encoded into the Authentication Profile within Orah itself.
4 - Invite Users
Both new and existing users can be configured to use a new Authentication Profile.
For new users, select the profile at the time of invitation, the user will have to login successfully to the IdP as part of the signup process.
For existing users choose the Change Login Method; they will receive an email and be required to login successfully during the migration process.
It is also possible to change a user from authenticating using SSO to authenticating using Orah. It is possible to have a mix of login types amongst users.
Authentication Profiles Reference
Admin Console > Authentication
The Authentication settings page allows your to setup multiple SSO Profiles and select which are enabled and disabled for the 3 Orah user types. This paradigm allows Orah to be flexible in supporting any possible school configuration, however we expect most schools to have just one, maybe two, Authentication Profiles. Staff users with the Administrator permission will have access to this settings page.
This section allows the administrator to enable or disable the ability for users to signup and login with a Orah username/password. Disabling this option for a particular user group will not break login for existing users, it will however prevent password login from being enabled for further users.
Create New Profile: Add an empty Authentication Profile to the settings page.
Test Run: Initiates a dummy SAML protocol exchange in a new tab. Use this to confirm that everything is set up correctly without having to first connect a SAML user to Orah.
Edit Profile: Authentication Profiles can be edited and the new configuration will apply to existing users authenticating against this profile.
Delete Profile: Deleting an Authentication Profile will leave any users tied to that profile in an orphaned state without the ability to login to Orah. They must go through an email-invitation process initiated by an administrator, they cannot be attached automatically to a new profile. We recommend editing profiles to maintain existing users.
Save Profile: Please click Save before leaving the page to apply changed settings, else cancel to discard any modifications.
Authentication Profile Details
Choose a friendly name for a profile. This will be displayed to the administrator as a choice when sending invitations.
Applicable User Types:
Select which Orah user types can be invited to use this profile. This should simply reflect which users are in that user directory. For any user types that do not authenticate using SSO, enable Orah Login and they will use a username + password managed by Orah.
Example: A school might have one Active Directory database for Staff, another for Students and no centralized login for parents. For this they would create 2 separate Authentication Profiles, each enabled only for one user type, and enable Orah Login only for parents.
These settings point Orah to a particular IdP server, particulars should be available to copy from the IdP configuration into these fields.
IdP Login URL: The URL of the IdP SAML 2.0 assertion endpoint. This will process XML <AuthnRequest> payloads during the login process.
IdP Public Certificate: The public certificate that is used by Orah to verify XML <AuthnResponse> payloads signed by the IdP. This is mandatory and is the primary security mechanism ensuring logins cannot be spoofed by a malicious party.
These settings point the IdP server to Orah. Copy and paste these values into the IdP configuration. Likely only the first two fields will be necessary.
SP Entity ID: A URL representing Orah. This is actually an XML file containing the following two fields among others. If your IdP configuration supports it, the correct configuration can be imported from this XML file.
SP Login/Logout URL: The URL of the SAML 2.0 assertion endpoint for Orah. This will process XML <AuthnResponse> payloads during the login process. Currently Single Logout (SLO) is not supported, but may be in the future - users will logout from Orah independently of the centralized system.
SP Signing Certificate: [Optional] The public certificate that is used by the IdP to verify the XML <AuthnResponse> payloads signed by Orah. If the IdP configuration has a field to input it, this certificate should be used. The security of the protocol is actually not degraded by the absence of this signature check, so do not worry if the IdP does not use it.
Can users be automatically imported using SSO?
No, SSO integration only does user authentication. User provisioning is left to the Data Integrations that we offer, as well as CSV import.
Can I use ____ SSO technology?
We have determined that the vast majority of our customers have systems that are compatible with the SAML 2.0 protocol. Some SIS systems have their own custom SSO protocols, please contact us if you wish Orah to integrate with your SIS.
Still having trouble?
If you didn't find the answer you were looking for, please use the blue bubble in the bottom right-hand corner to start a conversation with one of our helpful Customer Success Team.