Sms 2 0 sso ldap launch kit

Pdf File 1,308.59 KByte,

SMS 2.0 SSO / LDAP Launch Kit

SMS 2.0 SSO/ LDAP Launch Kit

Table of Contents

What options are available in SMS 2.0 for Single Sign On?................................................ 3 LDAP (Lightweight Directory Access Protocol) ............................................................... 3 Single Sign On using SkySTS (Skyward Secure Token Service)........................................ 3

Frequently Asked Questions ............................................................................................... 4 How do I know if I already use LDAP? ............................................................................ 4 What Features does LDAP Support?............................................................................... 4 Can Cloud Hosted (ISCorp) Customers use Single Sign On? ........................................... 4 Does LDAP support automatic sign-on? ......................................................................... 4 What tools are available for managing existing users in Skyward? ............................... 5 What tools are available for importing users in Skyward?............................................. 5 Does SMS 2.0 work with 3rd party Account Automation / Identity Management products? ........................................................................................................................ 6 What are the PaC Client requirements? ......................................................................... 6 How LDAP work in the SMS 2.0 Web Applications? ....................................................... 6

Implementing Single Sign On using SkySTS ........................................................................ 7 Configuring LDAP ................................................................................................................ 8

Step 1: Configure LDAP Global Options .......................................................................... 8 Step 2: Configure LDAP: Server(s)................................................................................. 10 Step 3: Adding self-signed certificates to the SMS 2.0 Web Server(s) ......................... 15 Step 4: Test LDAP Settings ............................................................................................ 16 Step 5: Finalize the Single Sign On Configuration......................................................... 17 Configure the LDAP Group Membership Integration ....................................................... 18 Step 1: LDAP Group Maintenance: Link Security Groups to LDAP Groups................... 18 Step 2: LDAP Group Maintenance: Security Group Membership ................................ 20 Step 3: LDAP Group Maintenance: Groups assigned to Users. .................................... 21 Step 4: LDAP Group Maintenance: Mass Remove Users from Groups (optional) ....... 22 LDAP Server Configuration Examples ............................................................................... 26 Configure LDAP: Windows Active Directory LDAP Kerberos Example ......................... 26 Configure LDAP: Windows Active Directory LDAP Kerberos Group Example .............. 35 Configure LDAP: Active Directory Global Catalog LDAP SSL/TLS Example ................... 36 Configure LDAP: Secure LDAP SSL/TLS Example (Novell eDirectory) ........................... 37 Configure LDAP: Secure LDAPS Group Example (Novell eDirectory) ........................... 38

SMS 2.0 SSO/ LDAP Launch Kit

What options are available in SMS 2.0 for Single Sign On?

LDAP (Lightweight Directory Access Protocol)

LDAP is an industry standard protocol that allows an application like Skyward to authenticate to a 3rd party LDAP directory like Microsoft's Active Directory or Novell's eDirectory.

In general terms you can think of an LDAP server as a phone book that has the usernames and passwords for the district users. Skyward can take advantage of this "phone book" by allowing it to be used to log into Skyward. The advantage is end users have one less password to remember.

In more technical terms the LDAP implementation allows users to use network credentials to log into SMS 2.0, including the web-based products like EA+ and Employee Access. User accounts can be in Windows Active Directory, Novell eDirectory, or any other third-party LDAP compliant directory. The LDAP Group Integration feature allows SMS 2.0 to read group memberships from your Network directory and then add them to linked Security Groups.

Single Sign On using SkySTS (Skyward Secure Token Service)

SkySTS allows SMS 2.0 users to authenticate to an Identity Provider (IdP) for 3rd party systems, and it allows SMS 2.0 to be an Identity Provider (IdP) for 3rd party systems.

SMS 2.0 to a remote IdP: This means the SMS 2.0 users can log in using credentials from a 3rd party IdP, such as Office 365 (Azure) or ClassLink, using SAML 2. For an overview video of the Single Sign-On process for your Skyward end-users and other recommended Skyward Security Best Practices, please visit our link to the Skyward Security Best Practices Blog.

SMS 2.0 as an IdP: This means that users of the 3rd party system can login into the 3rd party system using their SMS 2.0 user/password using SAML 1, 2, or wsFed. This has been popular for customers authenticating guardians (parents), SMS 2.0 is one of the few systems that has usernames & passwords for the parents, so when a school is looking to roll out a new 3rd party product to parents, they can set it up to authenticate to SMS 2.0 using SkySTS. SMS 2.0 becomes the IdP, which means we provide the authentication for the 3rd party product. If LDAP is configured inside of SMS 2.0 for the user type, then the user would use the LDAP user/password.

Note: SkySTS is not compatible with the Business PaC Client (Point and Click) or Mobile App (Available in the iOS and Android app stores).

________________________________________________________________________

04.29.2021



Page 3 of 38

SMS 2.0 SSO/ LDAP Launch Kit

Frequently Asked Questions

How do I know if I already use LDAP?

Review the LDAP Document: Tutorials/FQ/PS_CA_SE_PS_CF_LC_483059_100_T.pdf (Support Center Login required)

What Features does LDAP Support?

? Supports encryption using LDAP w/TLS, LDAPS, or Kerberos ? Allows you to define up to three LDAP Servers for redundancy ? Allows you to specify the user types that will authenticate to each LDAP Server. ? Optional LDAP Group Membership Integration reads group memberships from

your LDAP directory and manages Security Group memberships in Skyward.

Can Cloud Hosted (ISCorp) Customers use Single Sign On?

Yes, Cloud Hosted Customers can implement LDAP or SkySTS. When implementing these features across the internet a Secure protocol is used to encrypt the network traffic. To further secure access to your LDAP servers, lock down the traffic from the following source IP addresses.

ISCorp LDAP source address - Mequon, WI - 66.195.143.42 Note: IP Address 66.195.143.42 to be deprecated starting 8-16-2020.

New ISCorp LDAP source address - Mequon, WI ? 192.222.0.56 ISCorp LDAP source address - Dallas, TX - 8.12.72.20

Note: Adding all ISCorp LDAP source address(es) is recommended, after 8-162020 please remove the deprecated IP Address.

Does LDAP support automatic sign-on?

The SMS 2.0 PaC client has the optional ability to automatically log on as the currently logged-on workstation user in Windows. This can be a security risk however, since any user could sit down at a logged-on user's workstation and gain access to the PaC software as the logged-on user. Because of this feature, we recommend districts take this risk into consideration before turning on that option.

The SMS 2.0 Web Applications do not support an automatic sign-on. To log into the Web Application the end user always enters their network username and password.

________________________________________________________________________

04.29.2021



Page 4 of 38

SMS 2.0 SSO/ LDAP Launch Kit

What tools are available for managing existing users in Skyward?

An important requirement of LDAP is that the skyward usernames match the LDAP usernames. Example: If the user's network login name is "jdoe" then the skyward login name must also be "jdoe".

Skyward has several tools that assist you with mass changing or import the skyward logins to match the Active Directory or eDirectory login names. It is strongly recommended that you test your LDAP setup using a training database prior to running the utility (ies) on your live database.

Auto Generating or Mass Changing Login Names, Email Address and Passwords. Student Login names

Tutorials/FQ/PS_CA_SE_PS_CF_1062348_100_T.pdf (Support Center Login required)

Employee/Secured User Login names

Tutorials/FQ/PS_CA_SE_PS_CF_AU_ES_1112165_100_T.pdf (Support Center Login required)

What tools are available for importing users in Skyward?

Import tools can be used to create or modify existing users and can be automated.

Student Import Tool (Student Suite) ? automates the import of student users, passwords from a csv file. The Student import tool is found at the menu path of Web Student \ Students \ Student Access \ Setup \ Utilities \ Mass Generate Student Permissions and Passwords. The file format of the csv file can be viewed by clicking the "Preview Import File Format" hyperlink.

Staff Import Tool (Student Suite) ? automate the import of staff users, passwords from a csv file. The Staff import tool is found at the menu path of Web Student \ Administration \ Skybuild \ Import \ Staff Import Utility. The file format of the csv file can be viewed by clicking the "Format" button.

Employee Import Tool (Business Suite) ? automate the import of employee users. This Employee Import tool is known as the Applicant Import Utility and imports employees into a SMS 2.0 business database from an import file. The Applicant Import Utility is a licensed feature that was available starting in the June 2016 release. If you are interested, please contact your Account Representative.

________________________________________________________________________

04.29.2021



Page 5 of 38

SMS 2.0 SSO/ LDAP Launch Kit

Does SMS 2.0 work with 3rd party Account Automation / Identity Management products?

If your district wishes to do Identity Management beyond the capabilities of the user utilities provided by Skyward there are several ways to automate the creation of accounts, below are some examples.

3rd Party solutions Skyward has partnered with the Tools4ever UMRA solution to provide an Identity Management solution that provisions user accounts from Skyward Student or Business Suites to a variety of systems, including Active Directory. UMRA is our preferred IDM partner but Skyward can be used with any 3rd party IDM solution.

With the Skyward SIF agent and 3rd party ZIS and Active Directory Agents Active Directory accounts can be automatically provisioned when they are added to Skyward Student or Business Suites...

What are the PaC Client requirements?

There are no special requirements to use LDAP with the full PaC client. In Active Directory environments with single sign-on enabled, users can be automatically logged into the PaC client or with single sign-on disabled, users can be required to enter a network username and password. In Novell eDirectory environments the user will need to enter the network username and password to log into the full PaC Client.

When Logging into the PaC Client in a Terminal Server Environment and the automatic logon option is enabled and PaC is running in a terminal server environment, the network credentials that will be used to log on to PaC will be the ones used to log onto the terminal server, not the ones used to log onto the local client workstation.

PaC does not support SkySTS.

How LDAP work in the SMS 2.0 Web Applications?

The actual authentication happens on the SMS 2.0 Web server in a Web speed environment. The webserver(s) must be able to communicate to the LDAP server so the LDAP traffic must be allowed on the firewall, most notably when the web server is in a DMZ or outside the firewall (Cloud Hosted). If the LDAP requests are being made across a public network then you must use Kerberos, SSL/TLS, or LDAPS to encrypt the usernames and passwords.

________________________________________________________________________

04.29.2021



Page 6 of 38

Download Pdf File