When choosing SAML as your SSO protocol type, you must take some additional steps and provide additional information to complete your integration which are unique to the SAML protocol.
General
User types
By default, any user who uses a SAML SSO integration to sign up inside of a portal will automatically be provisioned a learner user account, meaning that they will be treated as a learner within the portal and have all the same user experience a normal learner would.
You can configure your SAML SSO integration to provision educator accounts through the use of role mappings.
Role mapping
As part of your SAML SSO integration, you can configured role mappings which will translated roles provided by your SAML identity provider into educator roles within your portal.
This means if your SAML identity provider tells Riipen that a user belongs to "Role A", you can configure your integration to map Role A to any educator role within your portal. If this mapping exists when one of your users signs up, they will be provisioned an educator account with the correctly mapped role.
Roles are detected from your identity providers SAML payload via the attributes of "eduPersonPrimaryAffiliation" or "eduPersonAffiliation".
If eduPersonPrimaryAffiliation is provided then that value will be used to look for a role mapping to match it. If eduPersonPrimaryAffiliation is not provided, any value provided in eduPersonAffiliation will be used to look for a role mapping to match it.
Since eduPersonAffiliation can have multiple values, only with first role mapping detected will actually be used. Meaning that if "Role A", "Role B', and "Role C" are all provided in eduPersonAffiliation in that specific order, and role mappings exist for "Role B" and "Role C", only the "Role B" role mapping will be used.
Note that there are no learner roles in a portal so there is no way to map an identity provider's custom learner roles into anything within your portal. Role mapping only exists for educators.
How to
Configure your identity provider
You will need to add Riipen as a trusted service provider for your identity provider system. In order to do so you will need to download Riipen's SAML metadata which is available here:
https://{subdomain}.riipen.com/auth/saml/metadata
You will need to replace "subdomain" with your portal's specific subdomain.
Once downloaded you will need to upload this file into your identity provider as needed.
Configure SAML SSO for your portal
To configure your SAML SSO integration in your portal:
Click "Settings" below the "Portal" group in the main navigation.
Click on the "SSO" tab below the "Advanced" group of the available settings.
Select "SAML" from the "Type" input
Fill in the remaining fields as needed (see below for details)
Click "Submit" to save.
Field | Description |
Service URL | The URL to your SSO service which Riipen should redirect users to. This may look something like:
https://samltest.id/idp/profile/SAML2/Redirect/SSO |
Certificate | The certificate used to sign requests to your SSO service. This will look like a long string of characters several lines long.
You do not need to provide this if you provide a certificate fingerprint. |
Certificate Fingerprint | The fingerprint of your certificate. This will look like a long string of characters usually only one line long.
You do not need to provide this if you provide a certificate. |
Create a role mapping
To create a SAML SSO role mapping:
Click "Settings" below the "Portal" group in the main navigation.
Click on the "SSO" tab below the "Advanced" group of the available settings.
In the "Educator role mappings" section, fill in the fields as needed
Click "Submit" to save.
Update a role mapping
To update a SAML SSO role mapping:
Click "Settings" below the "Portal" group in the main navigation.
Click on the "SSO" tab below the "Advanced" group of the available settings.
In the "Educator role mappings" section, edit the existing role mapping
Click "Submit" to save.
Note updating an existing role mapping will not change the roles of any existing educators in the portal.
Delete a role mapping
To delete a SAML SSO role mapping:
Click "Settings" below the "Portal" group in the main navigation.
Click on the "SSO" tab below the "Advanced" group of the available settings.
In the "Educator role mappings" section, delete the existing role mapping
Click "Submit" to save.
Note deleting an existing role mapping will not change or delete the roles of any existing educators in the portal.