Table of contents

• How does DigiExam work with SAML?
• Attributes
  
  • OrganizationRoles
  • eduPersonScopedAffiliation
  • Login challenge
  • URL:s
• More information specific to DigiExam
  
  • Organizations
  • Roles used in DigiExam
• More about SAML in DigiExam

How does DigiExam work with SAML?

DigiExam acts as a SAML Service Provider (SP) and offers only the Single Sign-On (SSO) service derived from SAML2 int. It supports only unsolicited login attempts which means there is no Identity Provider (IDP) discovery.
IDP discovery is usually when a "Login with..." button is placed on the SP side (in this case DigiExam). When clicked, the user is sent to the IDP to login with their credentials. The IDP then vouches for the user in the integration between the IDP and DigiExam who let's the user login.

Since there is no IDP discovery, a login button must be placed on the IDP side. Usually this button is placed in some kind of school portal or on the school intranet. The login button fetches user data from a school data base for example and sends it to DigiExam's ACS URL (see URL:s for more info). The user is then automatically logged in to DigiExam.

You can find DigiExam's SP metadata at https://app.digiexam.com/api/v1/saml/metadata.xml (please note that this is not our entity Id).

To perform a SAML setup you will need to have an "Account manager" role on the organizations DigiExam page, this can be given by an already existing account manager in your organization. 

The following chart is an example of a school district with two schools that have integrated their G-suite organization to DigiExam:

 

(Organization overview)

Attributes

The following user attributes are supported by DigiExam:

Attribute name	Urn Name	Required	Description	Example format
EmailAddress	urn:oid:0.9.2342.19200300.100.1.3	Yes	Email address of the user	john.apple@school.edu
FirstName	urn:oid:2.5.4.42	Yes	First name of the user	John
LastName	urn:oid:2.5.4.4	Yes	Last name of the user	Apple
OrganizationRoles*	urn:oid:1.3.6.1.4.1.5923.1.1.1.1	No	DigiExam roles the user should have access to, omit for students	teacher;admin;accountManager
eduPersonScopedAffiliation*	urn:oid:1.3.6.1.4.1.5923.1.1.1.9	No	Skolfederation roles for the user according to the Skolfederation standard	member@[domain].se;employee@[domain].se;staff@[domain].se
sisSchoolUnitCode**	urn:oid:1.2.752.194.10.2.4	No	DigiExam organizations that the user should have access to. The unit code is configured on the organization in DigiExam and typically has the value of the unit code from Skolverket, but other values can be used freely.	3283838;a290cb29

*Note that only one of the OrganizationRoles or eduPersonScopedAffiliation attributes needs to be used. If no value is passed with the Login Response the user is assumed to have student access.

**If no sisSchoolUnitCode is passed with the Login Response the user is assumed to have access to all organizations in the school organizational hierarchy

OrganizationRoles

DigiExam roles the user should have access to, omit for students. Here are the combinations used for different roles granted in DigiExam.

To grant Student access: no role is needed to be sent, student access is automatically added to all users

To grant Teacher access: teacher

To grant Admin access: admin

To grant Account Manager access: accountManager

To grant access for multiple roles, use semi colon as separator between roles, for example, to grant teacher and admin access for a user, send: teacher;admin

eduPersonScopedAffiliation

Skolfederation roles for the user according to the Skolfederation standard, here are the combinations used for different roles granted in DigiExam.

To grant Student access: member@[domain].se;student@[domain].se

To grant Teacher access: member@[domain].se;employee@[domain].se;faculty@[domain].se

To grant Admin access: member@[domain].se;employee@[domain].se;staff@[domain].se

Login challenge

If a user has registered an account at DigiExam manually and then decides to perform a single-sign-on using SAML 2.0, they will receive a login challenge that asks them to enter their password to allow the SSO (figure 1). If they are connected to an umbrella organization, they only need to sign on once, thereafter they get access to all underlying organizations.

The users only need to do this once and it is in place to prevent unauthorized access to user accounts by malicious identity providers.

 

Figure1

URL:s

ACS Url:
EU: https://app.digiexam.com/api/v1/saml/login
US: https://app-us.digiexam.com/api/v1/saml/login

Entity ID:
EU: https://app.digiexam.com/api/v1/saml/metadata
US: https://app-us.digiexam.com/api/v1/saml/metadata

Start URL:
EU: https://app.digiexam.com/app#/
US: https://app-us.digiexam.com/app#/

More information specific to DigiExam

Organizations

Any school or company that use DigiExam has its own organization. Organizations in DigiExam are used to connect the user to a school or company. You are never restricted to one organization, a university can have several organizations for different subjects. 

OrganizationRoles can be replaced with eduPersonScopedAffiliation.

Roles used in DigiExam

In DigiExam, we define attributes by roles.

Student: Every user automatically gets this role. You don't have to specify anything to assign this role to the user. It is used to view grades online and to take exams.

Teacher: Can create, grade and start exams, they can also create classes and courses. They will only see their own exams or content that has been shared with them.

Admin: Have the same attributes as teachers but can see and handle all the exams in the organization, they can also remove anonymization.

Account Manager: Does NOT have access to classes or exams, they handle the roles in the organization and have access to the integration tab where you can handle LTI or SAML integrations.

More about SAML in DigiExam

SAML G Suite setup