Table of contents
- How does DigiExam work with SAML?
- More information specific to DigiExam
- More about SAML in DigiExam
How does DigiExam work with SAML?
DigiExam acts as a SAML Service Provider (SP) and offers only the Single Sign-On (SSO) service derived from SAML2 int. It supports only unsolicited login attempts which means there is no Identity Provider (IDP) discovery.
IDP discovery is usually when a "Login with..." button is placed on the SP side (in this case DigiExam). When clicked, the user is sent to the IDP to login with their credentials. The IDP then vouches for the user in the integration between the IDP and DigiExam who let's the user login.
Since there is no IDP discovery, a login button must be placed on the IDP side. Usually this button is placed in some kind of school portal or on the school intranet. The login button fetches user data from a school data base for example and sends it to DigiExam's ACS URL (see URL:s for more info). The user is then automatically logged in to DigiExam.
You can find DigiExam's SP metadata at https://app.digiexam.com/api/v1/saml/metadata.xml (please note that this is not our entity Id).
To perform a SAML setup you will need to have an "Account manager" role on the organizations DigiExam page, this can be given by an already existing account manager in your organization.
The following chart is an example of a school district with two schools that have integrated their G-suite organization to DigiExam:
|Attribute name||Urn Name||Required||Description||Example format|
|EmailAddress||urn:oid:0.9.2342.19200300.100.1.3||Yes||Email address of the firstname.lastname@example.org|
|FirstName||urn:oid:220.127.116.11||Yes||First name of the user||John|
|LastName||urn:oid:18.104.22.168||Yes||Last name of the user||Apple|
|urn:oid:22.214.171.124.4.1.59126.96.36.199.1||No||DigiExam roles the user should have access to, omit for students||teacher;admin;accountManager|
|eduPersonScopedAffiliation*||urn:oid:188.8.131.52.4.1.59184.108.40.206.9||No||Skolfederation roles for the user according to the Skolfederation standard||member@[domain].se;employee@[domain].se;staff@[domain].se|
DigiExam organizations that the user should have access to.
The unit code is configured on the organization in DigiExam and typically has the value of the unit code from Skolverket, but other values can be used freely.
*Note that only one of the OrganizationRoles or eduPersonScopedAffiliation attributes needs to be used. If no value is passed with the Login Response the user is assumed to have student access.
**If no sisSchoolUnitCode is passed with the Login Response the user is assumed to have access to all organizations in the school organizational hierarchy
DigiExam roles the user should have access to, omit for students. Here are the combinations used for different roles granted in DigiExam.
To grant Student access: no role is needed to be sent, student access is automatically added to all users
To grant Teacher access: teacher
To grant Admin access: admin
To grant Account Manager access: accountManager
To grant access for multiple roles, use semi colon as separator between roles, for example, to grant teacher and admin access for a user, send: teacher;admin
Skolfederation roles for the user according to the Skolfederation standard, here are the combinations used for different roles granted in DigiExam.
To grant Student access: member@[domain].se;student@[domain].se
To grant Teacher access: member@[domain].se;employee@[domain].se;faculty@[domain].se
To grant Admin access: member@[domain].se;employee@[domain].se;staff@[domain].se
If a user has registered an account at DigiExam manually, and then decides to perform a single-sign-on using SAML 2.0, they will receive a login challenge that ask them to enter their password to allow the SSO.
The users only need to do this once and it is in place to prevent unauthorized access to user accounts by malicious identity providers.