Single Sign-On and Authentication
GG4L School Passport can behave as an IdP for your Application. The main scenarios are:
- Publishing <Login with XYZ> button on the login screen of your Application:
In this case, users will initiate SSO by clicking the button on the login screen of your Application and GG4L will federate authentication independent of the authentication provider that customer is using (including Active Directory, AD FS, G Suite, LMS or SIS systems etc). - SSO from School Passport / LMS / SIS etc into your Application:
In this case, users will initiate SSO from outside of your Application and GG4L will perform SSO based on the technology that you selected.
The supported SSO mechanisms are:
OAuth-based SSO
It is based on the OAuth 2.0 API and is similar to industry-standard implementations from other companies.
Reach out to connectors@gg4l.com and request a test account for implementing OAuth-based SSO. You will be provided with user’s credentials (username and password) and API credentials (Base URL, Client ID and Secret Key).
- SSO can be initiated by the following URL (use your Client ID and URL of your Application – as redirect_uri):
https://sso.gg4l.com/oauth/auth?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}
- In response to the initial HTTP GET request, you will receive “code” to “redirect_uri” – according to Authorization request
- This “code” can be used for obtaining OAuth token (server-to-server API call), according to Access token request:
https://sso.gg4l.com/oauth/token?grant_type=authorization_code&code={code}
- Finally, you can read basic profile of a user as described here.
We suggest to use email addresses for identifying users (SIS IDs and GUIDs are available as well).
SAML-based SSO
The supported version is SAML 2.0. Both IdP- and SP-initiated workflows are available.
SAML metadata can be downloaded by the following link:
https://sso.gg4l.com/saml/metadata
Reach out to connectors@gg4l.com and provide the following information for SAML:
- File or URL of SP metadata
- Confirm SSO initiation type (IdP- or SP-initiated)
- Confirm the desired NameID format
- Provide enumeration of additional SAML attributes for assertion
- Create a test account in your Application and provide its details
Once the email is sent, GG4L Team will set up integration and get back to you with confirmation.
LTI-based SSO
SSO works based on the LTI v1.0 basic-lti-launch-request.
GG4L will send the following sample parameters (plus any additional that are required by your Application):
lti_version: LTI-1p0 lti_message_type: basic-lti-launch-request user_id=ZYX oauth_consumer_key=XYZ oauth_signature_method=HMAC-SHA1 oauth_timestamp=1244834250 oauth_nonce=1244834250435893000 oauth_version=1.0 oauth_signature=Xddn2A%2BjzwjgBIVYkvigaKxCdcc%3D oauth_callback=about:blank
Reach out to connectors@gg4l.com and provide the following information for LTI:
- Application URL (URL on your end for receiving LTI messages)
- OAuth credentials (Client ID and Secret Key that will be used for signing messages)
- The details of a test account (including all attributes that need to be included)
Once the email is sent, GG4L Team will set up integration and get back to you with confirmation.
Password Vault SSO
Use this SSO mechanism only if none of the standards-based SSO technologies listed above are supported by your Application. This SSO mechanism is most primitive and less secure. It is based on the password injection / HTTP form submission and requires sending user’s password via HTTPS.
In order to set it up, reach out to connectors@gg4l.com and provide the following information:
- Login page of your Application
- Username and Password of a test account
- Any additional information which is needed for logging in to your Application.
GG4L Team will develop SSO Connector and will get back to you with confirmation.