Table of contents
- How does Digiexam work with SAML?
- More information specific to Digiexam
- More about SAML in Digiexam
How does Digiexam work with SAML?
Digiexam acts as a SAML Service Provider (SP) and offers only the Single Sign-On (SSO) service derived from SAML2 int. It supports only unsolicited login attempts which means there is no Identity Provider (IDP) discovery.
IDP discovery is usually when a "Login with..." button is placed on the SP side (in this case Digiexam). When clicked, the user is sent to the IDP to log in with their credentials. The IDP then vouches for the user in the integration between the IDP and Digiexam who lets the user log in.
Since there is no IDP discovery, a login button must be placed on the IDP side. Usually, this button is placed in some kind of school portal or on the school intranet. The login button fetches user data from a school database for example and sends it to Digiexam ACS URL (see URL:s for more info). The user is then automatically logged in to Digiexam.
You can find Digiexam's SP metadata at https://app.digiexam.com/api/v1/saml/metadata.xml (please note that this is not our entity Id).
To perform a SAML setup you will need to have an "Account manager" role on the organization's Digiexam page, this can be given by an already existing account manager in your organization.
The following chart is an example of a school district with two schools that have integrated their G-suite organization into Digiexam:
|Attribute name||Urn Name||Required||Description||Example format|
|EmailAddress||urn:oid:0.9.2342.19200300.100.1.3||Yes||Email address of the email@example.com|
|FirstName||urn:oid:220.127.116.11||Yes||First name of the user||John|
|LastName||urn:oid:18.104.22.168||Yes||Last name of the user||Apple|
|urn:oid:22.214.171.124.4.1.59126.96.36.199.1||No||Digiexam roles the user should have access to, omit for students||teacher;admin;accountManager|
|eduPersonScopedAffiliation*||urn:oid:188.8.131.52.4.1.59184.108.40.206.9||No||Skolfederation roles for the user according to the Skolfederation standard||member@[domain].se;employee@[domain].se;staff@[domain].se|
Digiexam organizations that the user should have access to.
The unit code is configured on the organization in Digiexam and typically has the value of the unit code from Skolverket, but other values can be used freely.
* Note that only one of the OrganizationRoles or eduPersonScopedAffiliation attributes needs to be used. If no value is passed with the Login Response the user is assumed to have student access.
** If no sisSchoolUnitCode is passed with the Login Response the user is assumed to have access to all organizations in the school organizational hierarchy.
Digiexam roles the user should have access to, omit for students. Here are the combinations used for different roles granted in Digiexam. To grant access for:
- Student: no role is needed to be sent, student access is automatically added to all users
- Teacher: teacher
- Admin: admin
- Account Manager: accountManager
- Multiple roles, use semi-colon as a separator between roles, for example, to grant teacher and admin access for a user, send: teacher;admin
Skolfederation roles for the user according to the Skolfederation standard, here are the combinations used for different roles granted in Digiexam. To grant access for:
- Student: member@[domain].se;student@[domain].se
- Teacher: member@[domain].se;employee@[domain].se;faculty@[domain].se
- Admin: member@[domain].se;employee@[domain].se;staff@[domain].se
If a student with no unit code is sent in:
If the organization does not have a parent and does not have a unit code on it, a student is created in that organization
If the organization does not have a parent and has a unit code on it, a student is not created in that organization
If a student with a unit code is sent in:
If the organization does not have a parent and has a unit code on it that doesn’t match the student’s unit code, a student is not created in that organization
If the organization does not have a parent and does not have a unit code on it, a student is not created in that organization
If the organization does not have a parent and has a matching unit code on it, a student is created in that organization
- ACS Url:
- Entity ID:
If a user has registered an account at Digiexam manually and then decides to perform a single-sign-on using SAML 2.0, they will receive a login challenge that asks them to enter their password to allow the SSO (figure 1). If they are connected to an umbrella organization, they only need to sign on once, thereafter they get access to all underlying organizations.
The users only need to do this once and it is in place to prevent unauthorized access to user accounts by malicious identity providers.