Students and Staff/Faculty can use their already existing school credentials to authenticate their account and sign into ConexED without having two different usernames/passwords.
The ConexED Admin settings includes a self-service SAML2 SSO setup page that your IT Identity and Access Management System specialist can use to integrate with ConexED. Your school’s IT team will need to register for ConexED and be promoted to ConexED admin. Once upgraded, log out and then follow the instructions below.
- Go to the Admin panel. This page can be found on our testing environment under https://admin.test.craniumcafe.com/settings and on our production environment under https://admin.craniumcafe.com/settings.
- Log into your school’s ConexED Admin account https://admin.craniumcafe.com/settings
- Click on the “Edit SAML2 Settings” button (Figure 2).
- On the SAML2 Settings Form (Figure 3), fill in your school’s IdP Metadata URI, and click “Load.” This will fill in the IdP Entity ID, Log On URL, and Certificate Fingerprint.
- Select the Identity Format that your Identity Provider prefers and click “Save” before going to https://[your subdomain].craniumcafe.com/saml2 and pulling ConexED’s metadata.
- Pull ConexED’s metadata and enter it into your Identity Provider system. NOTE: ADFS prefers urn:oasiss:names:tc:SAML:1.1:nameid-format.unspecified
- Before clicking the “Test Login” button, click “Save.” (If you are unsure if this will break your current SAML2 integration, close this settings modal dialog and uncheck SAML2/Shibboleth option and save the integration settings.)
- Fill in the attribute names that you will be passing over. If you don’t know the exact names, “Test Login” will pop-up a modal dialog that will show the attributes that are passed over.
Edit SAML2 Settings Button
SSO Settings Checklist:
ConexED requires the following SAML2 attributes supported by the InCommon Federation. You will need the following:
- your school’s IdP Metadata URL
- eduPersonPrincipalName (as a unique identifier that will never be reassigned to another user)
- eduPersonScopedAffiliation (for determining role level)
- displayName (for UI/display purposes)
- mail (email address for sending meeting reminders)
- sisId (the student or employee ID number used in the school’s Student Information System.
The sisId will be used as a unique identifier for each user in ConexED, and the sisId is used as a reference key for exporting data back into the institution’s SIS.
The ConexED SAML entityID is https://[your subdomain].craniumcafe.com/saml2. This link will redirect to idp.testshib.org until we receive your school’s metadata URL.
The [subdomain] will be provided to you by your ConexED implementation or integration staff. If you already have a ConexED instance setup, the [subdomain] is the name of your instance’s domain. For example, where UC Berkeley’s instance’s domain is “berkeley.craniumcafe.com”, “berkeley” will be this instance’s [subdomain].
The ConexED SAML2 metadata URL is https://my.craniumcafe.com/login/saml2_metadata
Integrating CAS with ConexED is not recommended. Please consult with your ConexED integration or implementation staff.
Other Sign-In Options
The ConexED username/password is available as an option to allow users to register as a guest. ConexED also offers OAuth 2.0 options for institutions to allow their students to authenticate with popular OAuth 2.0 providers. This allows for a one-click seamless authentication and requires no setup work by the institution’s IT staff. The only caveat of using OAuth 2.0 is that a limited set of data about the student is sent to ConexED (email, first and last name, bio, and profile picture).
OAuth 2.0 providers can be enabled/disabled at the group and/or institution level. OAuth 2.0 logins are launched via HTML buttons on the ConexED login page ([instance sub-domain].craniumcafe.com/login). The OAuth 2.0 logins are identified with the following logos.