Follow

Google Workspace setup (formerly G Suite)

If you encounter any problems or have any follow-up questions, please contact us via our in-app chat or send us an email.

 

  1. Attribute table

  2. Google Workspace setup example

    1. Manage custom attributes

    2. Set values on custom attributes for a user

    3. Set up the SAML app

  3. Upload the metadata on the Digiexam organization 

  4. Starting the App and login challenge
    1. Starting the app

    2. Login challenge


 

1. Attribute table

The following user attributes are supported by Digiexam (for a bigger size image, right-click and open the image in a new tab. PDF-file at the bottom of the guide):

Attribute_table.png
Figure 1

 

*If no sisSchoolUnitCode is passed with the Login Response, the user will have access to all organizations in the school organizational hierarchy.

**If no OrganizationRoles or eduPersonScopedAffiliation is passed with the Login Response, the user is assumed to have student access. 

 



2. Google Workspace setup example

Set up custom user attributes for roles and organizations:

If you do not have user attributes set up for Skolfederation, you need to add custom attributes to grant school staff users access in Digiexam.

 

2.1. Manage custom attributes

  1. Login to Google Admin ConsoleDirectoryUsersMoreManage custom attributes (figure 2).

    Manage_custom_attributes.png
    Figure 2

     

  2. In the top-right corner, click on Add custom attribute.

    1. Add Category and Description.
    2. Add the attributes below that you need, depending on which attributes you will send to Digiexam:

      • Name: OrganizationRoles
        Info type: Text
        Visibility: Visible to users and admin
        No. of values: Single Value or Multi-value (Digiexam supports both)

      • Name: sisSchoolUnitCode
        Info type: Text
        Visibility: Visible to users and admin
        No. of values: Single Value or Multi-value (Digiexam supports both)

      • Name: eduPersonScopedAffiliation (Skolfederation only)
        Info type: Text
        Visibility: Visible to users and admin
        No. of values: Single Value or Multi-value (Digiexam supports both)

Add_custom_attributes.pngFigure 3



2.2. Set values on custom attributes for a user

  1. Go to Google Admin ConsoleUsers

  2. Select a user that will be able to use SSO

  3. Click on the section User Information.

  4. Edit the custom attributes you defined earlier:

    1. Set one of the following values on eduPersonScopedAffiliation to give the user a role:

      • Admin:
        member@digiexam;employee@digiexam;staff@digiexam for admin
      • Teacher:
        member@digiexam;employee@digiexam;faculty@digiexam for teacher
      • Teacher and admin:
        member@digiexam;employee@digiexam;faculty@digiexam;staff@digiexam

        OR
         
    2. Set one or more of the following values on OrganizationRoles to give the user a role, multiple values are separated by semi-colon (;):
      • teacher
      • admin
      • accountManager

      • (Optional) Set one or more unit codes on sisSchoolUnitCode to restrict access to specific schools in the organization hierarchy, multiple values are separated by semi-colon (;).

  5. Click on Save 

User_information_sheet.png
Figure 4

 



2.3. Set up the SAML app:

  1. Login to Google Admin ConsoleAppsOverviewWeb and mobile apps

  2. Press the button Add app in the top-menu bar

  3. Choose Add custom SAML app (figure 5)

    Add_custom_SAML_app.png
    Figure 5


  4. Add App name and upload an App icon, preferably the Digiexam logo:
    digiexam_logo_gradient.png(Right click to save image)

  5. Then, click on Continue.

  6. Click on Download metadata and then click on Continue.

  7. Fill in Service Provider Details listed below (example, figure 6)

    1. ACS URL:
      EU: https://app.digiexam.com/api/v1/saml/login
      US: https://app-us.digiexam.com/api/v1/saml/login

    2. Entity ID: 
      EU: https://app.digiexam.com/api/v1/saml/metadata
      US: https://app-us.digiexam.com/api/v1/saml/metadata

    3. Start URL: 
      EU: https://app.digiexam.com/app#/ 
      US: https://app-us.digiexam.com/app#/

    4. Signed Response: Leave unchecked
    5. Name ID: PERSISTENT

    6. Name ID Format: Basic Information → Primary Email

    7. Press Continue
      service_provider_details.png
      Figure 6

Set up attribute mapping

      1. Click on the Add mapping button and see figure 7 for example.
        attribute_mapping.png
        Figure 7
      2. The Attributes need to be identical to either the Attribute name or the Urn name (figure 8).

        Screen_Shot_2018-08-16_at_16.20.46.png
        Figure 8

 


 

3. Upload the metadata on the Digiexam organization 

  1. Log in to Digiexam and select the Account Manager role.

  2. Click on Organization →  IntegrationsEnable SAML integration (see figure 9) and upload the IDP metadata that was downloaded earlier in step 2.3.6 (the metadata file can be downloaded again if needed, see step 5 below).
    Upload_Metadata.png
    Figure 9

     

  3. If unit codes are used, add unit codes (sisSchoolUnitCode) to all organizations except for the organization that the IDP metadata file is uploaded to.

  4. If multiple Digiexam organizations use the same IDP, they will need to be connected to an umbrella organization (Attribute table). This connection can only be set up by Digiexam staff, please contact Digiexam support, if this is the case.

  5. To download the metadata again, in the Google admin console, go to:
    Apps Web and mobile apps → [Your Digiexam app] → Download metadata
    Screenshot 2023-08-25 at 09.00.43.png
    Figure 10

 


 

4. Starting the App and login challenge

4.1. Starting the app

In Google, open apps and you should find Digiexam in the list (figure 11). Click on it, and it will take you to the login challenge for first-time use.

Screenshot 2023-08-25 at 08.53.57.png
Figure 11

 

4.2. Login challenge

Users that have registered accounts manually in Digiexam and then perform a Single Sign-On using SAML, are challenged to enter their Digiexam-password once per organization to allow SSO. If they are connected to an umbrella organization, they only need to sign on once, thereafter they get access to all underlying organizations. It is in place to prevent unauthorized access to user accounts by malicious identity providers.

Screenshot 2023-08-25 at 08.46.51.png
Figure 12



 


 

Was this article helpful?
0 out of 0 found this helpful

Comments