This is not a fully complete version of the guide, if you encounter any problems or have any follow-up questions please contact us via our in-app chat or submit a support ticket through the support tab https://app.digiexam.com/app#/support.
1. Attribute table
The following user attributes are supported by DigiExam:
(Click the image or here for bigger image)
*If no sisSchoolUnitCode is passed with the Login Response the user will have access to all organizations in the school organizational hierarchy.
**If no OrganizationRoles or eduPersonScopedAffiliation is passed with the Login Response the user is assumed to have student access.
2. G-suite setup example
Setup custom user attributes for roles and organizations:
If you do not have user attributes setup for Skolfederation you need to add custom attributes to grant school staff users access in DigiExam.
-
Login to Google Admin Console -> Users -> Manage custom attributes
-
Add an attribute with the following settings:
OrganizationRoles - Text - Visible to admin - Single Value. -
Add an attribute with the following settings:
eduPersonScopedAffiliation - Text - Visible to admin - Single Value. - Add an attribute with the following settings:
sisSchoolUnitCode - Text - Visible to admin - Single Value.
Set values on custom attributes for a user:
-
Go to Google Admin Console -> Users
-
Select a user (Select a user that will be able to use SSO)
-
Click on User Information.
-
Edit the custom attributes you defined earlier:
- Set one of the following values on eduPersonScopedAffiliation to give the user a role:
- member@digiexam;employee@digiexam;staff@digiexam for admin
- member@digiexam;employee@digiexam;faculty@digiexam for teacher
- member@digiexam;employee@digiexam;faculty@digiexam;staff@digiexam for teacher and admin
- OR Set one or more of the following values on OrganizationRoles to give the user a role, multiple values are separated by semi-color ( ; ) :
- teacher
- admin
- accountManager
- (Optional) Set one or more unit codes on sisSchoolUnitCode to restrict access to specific schools in the organization hierarchy, multiple values are separated by semi-color ( ; ).
- Set one of the following values on eduPersonScopedAffiliation to give the user a role:
- Save
Setup the SAML app:
-
Login to Google Admin Console -> Apps -> SAML Apps
-
Press the add button in the bottom right corner
-
Choose “Setup my own custom app”
-
Download the IDP Metadata file to your computer
-
Press Next
-
Fill in Basic Information
-
Application Name: [Name]
-
Description: (Optional)
-
Logo:
(Right click to save image)
-
Press Next
-
Fill in Service Provider Details listed below (Step 4 of 5)
-
ACS Url:
EU: https://app.digiexam.com/api/v1/saml/loginUS: https://app-us.digiexam.com/api/v1/saml/login -
Entity ID:
EU: https://app.digiexam.com/api/v1/saml/metadata
US: https://app-us.digiexam.com/api/v1/saml/metadata -
Start URL:
EU: https://app.digiexam.com/app#/
US: https://app-us.digiexam.com/app#/ - Signed Response: Leave unchecked
-
Name ID: Basic Information -> Primary Email
-
Name ID Format: PERSISTENT
-
Press Next.
8. Setup Attributes mappings.
The Attributes need to be identical to either the Attribute name or the Urn name. See [Attributes Tables]
3. Setup the metadata on the DigiExam organization
- Logging on https://app.digiexam.com/app#/login and then select the role of account manager.
- Head into the Integrations tab and upload the IDP metadata.
-
Specify a Unit code, this is the sisSchoolUnitCode
-
If multiple DigiExam organisations use the same IDP they will need to be connected to an umbrella organisation, see Attribute table. This connection can only be set up by DigiExam staff.
4. Starting the App and login challenge
Starting the app
If you browse into your apps in google you should find DigiExam in the list. Click on it and it will take you to the login challenge for first-time use.
Users that have registered accounts manually in DigiExam and then perform a Single Sign-On using SAML are challenged to enter their password once per organization to allow SSO. If they are connected to an umbrella organization they only need to sign on once and they get access to all underlying organizations.
The users only need to do this once and it is in place to prevent unauthorized access to user accounts by malicious identity providers.
---
Here you can find all the available docs or images for download.
Comments