Follow

SAML integration in Digiexam

Table of contents


How does Digiexam work with SAML?

Digiexam acts as a SAML Service Provider (SP) and offers only the Single Sign-On (SSO) service derived from SAML2 int. It supports only unsolicited login attempts which means there is no Identity Provider (IDP) discovery.
IDP discovery is usually when a "Login with..." button is placed on the SP side (in this case Digiexam). When clicked, the user is sent to the IDP to log in with their credentials. The IDP then vouches for the user in the integration between the IDP and Digiexam who lets the user log in.

Since there is no IDP discovery, a login button must be placed on the IDP side. Usually, this button is placed in some kind of school portal or on the school intranet. The login button fetches user data from a school database for example and sends it to Digiexam ACS URL (see URL:s for more info). The user is then automatically logged in to Digiexam.

You can find Digiexam's SP metadata at https://app.digiexam.com/api/v1/saml/metadata.xml (please note that this is not our entity Id).

To perform a SAML setup you will need to have an "Account manager" role on the organization's Digiexam page, this can be given by an already existing account manager in your organization. 

The following chart is an example of a school district with two schools that have integrated their G-suite organization into Digiexam:

 

scFtPZcBoDySkoANbRqbLiw.png
(Organization overview)


Attributes

The following user attributes are supported by Digiexam:

Attribute name Urn Name Required Description Example format
EmailAddress urn:oid:0.9.2342.19200300.100.1.3 Yes Email address of the user john.apple@school.edu
FirstName urn:oid:2.5.4.42 Yes First name of the user John
LastName urn:oid:2.5.4.4 Yes Last name of the user Apple

OrganizationRoles*

 urn:oid:1.3.6.1.4.1.5923.1.1.1.1 No Digiexam roles the user should have access to, omit for students teacher;admin;accountManager
eduPersonScopedAffiliation* urn:oid:1.3.6.1.4.1.5923.1.1.1.9 No Skolfederation roles for the user according to the Skolfederation standard member@[domain].se;employee@[domain].se;staff@[domain].se
sisSchoolUnitCode** urn:oid:1.2.752.194.10.2.4 No

Digiexam organizations that the user should have access to.

The unit code is configured on the organization in Digiexam and typically has the value of the unit code from Skolverket, but other values can be used freely.

 3283838;a290cb29

* Note that only one of the OrganizationRoles or eduPersonScopedAffiliation attributes needs to be used. If no value is passed with the Login Response the user is assumed to have student access.

** If no sisSchoolUnitCode is passed with the Login Response the user is assumed to have access to all organizations in the school organizational hierarchy.


OrganizationRoles

Digiexam roles the user should have access to, omit for students. Here are the combinations used for different roles granted in Digiexam. To grant access for:

  • Student: no role is needed to be sent, student access is automatically added to all users
  • Teacher: teacher
  • Admin: admin
  • Account Manager: accountManager
  • Multiple roles, use semi-colon as a separator between roles, for example, to grant teacher and admin access for a user, send: teacher;admin


eduPersonScopedAffiliation

Skolfederation roles for the user according to the Skolfederation standard, here are the combinations used for different roles granted in Digiexam. To grant access for:

sisSchoolUnitCode

If a student with no unit code is sent in:

  • If the organization does not have a parent and does not have a unit code on it, a student is created in that organization

  • If the organization does not have a parent and has a unit code on it, a student is not created in that organization

If a student with a unit code is sent in:

  • If the organization does not have a parent and has a unit code on it that doesn’t match the student’s unit code, a student is not created in that organization

  • If the organization does not have a parent and does not have a unit code on it, a student is not created in that organization

  • If the organization does not have a parent and has a matching unit code on it, a student is created in that organization


URL:s


Login challenge

If a user has registered an account at Digiexam manually and then decides to perform a single-sign-on using SAML 2.0, they will receive a login challenge that asks them to enter their password to allow the SSO (figure 1). If they are connected to an umbrella organization, they only need to sign on once, thereafter they get access to all underlying organizations.

The users only need to do this once and it is in place to prevent unauthorized access to user accounts by malicious identity providers.

 

DigiExam_Web_SAML_4.png
Figure1




More information specific to Digiexam

Organizations

Any school or company that uses Digiexam has its own organization. Organizations in Digiexam are used to connect the user to a school or company. You are never restricted to one organization, a university can have several organizations for different subjects. 

OrganizationRoles can be replaced with eduPersonScopedAffiliation.

Roles used in Digiexam

In Digiexam, we define attributes by roles.

  • Student: Every user automatically gets this role. You don't have to specify anything to assign this role to the user. It is used to view grades online and to take exams.

  • Teacher: Can create, grade and start exams, they can also create classes and courses. They will only see their own exams or content that has been shared with them.

  • Admin: Have the same attributes as teachers but can see and handle all the exams in the organization, they can also remove anonymization.

  • Account Manager: Does NOT have access to classes or exams, they handle the roles in the organization and have access to the integration tab where you can handle LTI or SAML integrations.


More about SAML in Digiexam: Google Workspace setup (formerly G Suite)

 

Was this article helpful?
0 out of 0 found this helpful

Comments