Administrators can integrate their institution's Azure Active Directory as an SSO system to log users into Panorama using the SAML 2.0 protocol. Once configured properly, users should be able to perform an SP-initiated login on Panorama.
Adding Panorama to Azure Active Directory as an Enterprise Application
The first step is to add the Panorama to Azure Active Directory as an Enterprise Application.
- Log in to your Azure Active Directory admin account.
- From the left-side menu, click on Azure Active Directory and then select Enterprise applications.
- Click on New application.
- Choose Non-gallery application, then type in the desired name for Panorama.
-
Panorama will now show up on the list of Enterprise Applications within Azure.
Integrating Azure Active Directory Into Panorama
The next step is integrating Azure Active Directory into Panorama.
- First, add at least 1 test user to the Panorama application within Azure. This can be done by clicking on Users and groups under Manage.
- Under Manage, click Single sign-on, and choose SAML as the integration option.
- From the current page, click on the Pencil icon to edit Basic SAML Configuration based on your zone. Important: If you have a custom Panorama Platform URL, please enter that instead of the zone URL.
-
Identifier (Entity ID):
- US Zone: https://panorama.yuja.com
- Canadian Zone: https://panorama-cz.yuja.com
- European Zone: https://panorama-ez.yuja.com
- Australian Zone: https://panorama-az.yuja.com
-
Custom URL: YOUR_CUSTOM_PANORAMA_URL
- Example: https://hudsonu.panorama.yuja.com
- US Zone: https://panorama.yuja.com
-
Reply URL (Assertion Consumer Service URL):
- US Zone: https://panorama.yuja.com/api/sso/samlReceiveResponse
- Canadian Zone: https://panorama-cz.yuja.com/api/sso/samlReceiveResponse
- European Zone: https://panorama-ez.yuja.com/api/sso/samlReceiveResponse
- Australian Zone: https://panorama-az.yuja.com/api/sso/samlReceiveResponse
-
Custom URL: https://YOUR_CUSTOM_PANORAMA_URL/api/sso/samlReceiveResponse
- Example: https://hudsonu.panorama.yuja.com/api/sso/samlReceiveResponse
-
Identifier (Entity ID):
- After saving the configuration above, scroll down, copy the information listed below and keep it in a separate file.
- Login URL
- Thumbprint
- Next, log in to the Panorama Platform.
- Click on Configuration, and then select Integrations.
- From the Select Integration drop-down menu, select SSO-SAML.
- You will need to fill out the information for each of the panels for the integration—General SSO Details, User Provisioning, Role Mapping, and Cross Integration with LTI 1.3. Follow the table below to fill out the information.
Attribute Required? Description General SSO Details SSO URL Yes The Login URL that was obtained in step 4.
Name ID Format Yes urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
ADFS Signing Certificate Fingerprint Yes Thumbprint obtained in step 4.
User Provisioning Given Name Attribute Yes The name of the attribute in the SAML response describes the user's given name (i.e. first name). Found in the IDP metadata. There is a section in the .XML file that should contain a list of tags. Enter the value for the “Name” key under the appropriate given name.
The value should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Family Name Attribute Yes The name of the attribute in the SAML response describes the user's family name (i.e. last name, surname). Found in the IDP metadata. There is a section in the .XML file that should contain a list of tags. Enter the value for the “Name” key under the appropriate family name.
The value should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Email Attribute Yes The name of the attribute in the SAML response describes the user's email address. Found in the IDP metadata. There is a section in the .XML file that should contain a list of tags. Enter the value for the “Name” key under the appropriate email address.
The value should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Role Attribute Yes The name of the attribute in the SAML response describes the user's role. Found in the IDP metadata. There is a section in the .XML file that should contain a list of tags. Enter the value for the “Name” key, under the appropriate role.
The value should be: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Role Mapping Admin Mapping Yes A comma-separated list of values can be used. If the value received in the Role Attribute matches any of these values, the user will be provisioned as an IT manager.
Example: IT Manager
Instructor Mapping Yes A comma-separated list of values can be used. If the value received in the Role Attribute matches any of these values, the user will be provisioned as an instructor.
Example: Instructor, Teacher, or TA
Cross Integration with LTI SSO Linkage Attribute No A unique attribute that links the SSO with the LMS. This allows a user to be recognized as a single user regardless of whether they log in with their SSO or LMS. You will need to enter the name of the linkage attribute provided by your SSO. LTI 1.3 Linkage Custom Field No A unique attribute that links the SSO with the LMS. This allows a user to be recognized as a single user regardless of whether they log in with their SSO or LMS. You will need to enter the name of the custom field used to configure the LTI launch. -
Once you have adjusted all required settings, click Save Changes to complete the integration. Note: You can test your SSO integration by selecting Launch SSO Login Page and logging in with your integration.