The Classlink SSO App allows administrators to integrate Incident IQ with a local AD server. This allows districts the ability to automatically populate and update user data in iiQ directly from their AD server.
The following guide is designed to provide step-by-step instructions on how to install the ClassLink SSO Integration app, establishing a link with Classlink for SSO functionality, as well as setting up a nightly task to sync user data with Incident IQ.
You can use the following links below to quickly navigate to a specific section in this document. To quickly return to this index simply use the Return to Index link located at the end of any section.
- Creating an Active Directory User
- App Installation
- App Configuration
- Establishing the IDP/ISP Connector with Classlink
- Configuring the Active Directory Integration
- Creating a Scheduled Sync Task
- Mapping User Role and Locations
Creating an Active Directory User
Before beginning the installation process you will need to ensure you have the following:
- An active directory vendor account that has the following permissions:
- Replicating directory changes.
- Replicating directory changes in filtered set.
- Replicating directory changes all.
- A machine that runs .NET Framework v.4.5.1 or higher and also has network access to reach your district's AD server.
Important Note: You will need to complete this step before proceeding. If you are unfamiliar with how to grant these specific permissions to a user then please refer to the following Microsoft help guide on Giving Users Replicating Directory Changes Permissions.
To install the Classlink SSO integration app, begin by selecting Incident IQ Apps > Browse on the left navigation bar. Scroll down to the Single Sign-On section and click on the Classlink SSO app
On the Classlink SSO app page click on Install.
Once the installation has been completed, click on Manage App Settings and continue to the next section to configure your Classlink SSO installation.
When accessing the Classlink SSO app for the first time after installation you will only see the Overview and two selectable options: Enable User Login and Enable User Sync. Before doing anything else, you will need to check these two options and click Save.
From here, you will see more options appear on the app tabs list. Click on Sync Executable.
This page will assist you in setting up your connector app configuration file. At the very least, you will need to provide the following information:
- AD Username (You will want to use the service account created in [section 1] of this document)
- AD Password
- AD Domain (Example: district.k12.tx.us)
- AD Server IP (220.127.116.11)
If desired, you may also set up OU exclusions to prevent account information stored within select AD OUs from being brought over during system syncs. Please note that setting up filters is entirely optional and can be updated at any time.
Additionally, you can also enable the sync to copy over additional AD Attributes as well such as Student/Employee ID and Grade if those data points exist in AD. As with OU filters, this setting is entirely optional and can be updated at any time.
Once you have completed entering your configuration information, click on Download Executable to download the connector app. Please note, you will want to download this connector app to a device that has access to your AD server and also runs overnight.
After downloading the connector file, you will want to run a manual sync to test the connection as well as download user data to Incident IQ. To do this, run the IncidentIQ.Connectors.MicrosoftAd application (ignore the CONFIG File and PDB File in this case.) In the connector app window that appears, click Run now.
If the app runs successfully, a data packet of user data will be sent to Incident IQ that can then be used to run a system sync.
Establishing the IDP/ISP Connection with Classlink
At this point in time, you will need to set up the SSO functionality of the Classlink SSO app. To do so, begin by going to the app Overview tab and clicking on the Download Service Provider Metadata button.
The following documentation provided by Classlink should walk you through the process of adding Incident IQ as a trusted provider in the Classlink SAML console:
Once the connection has been established, you’ll want to copy the following URL from the Classlink SAML console.
Next, you will need to paste this link into the URL field under the Identity Provider Settings tab within the Classlink SSO app within Incident IQ.
Additionally, further down in this tab you will also need to map SAML attributes needed for login. (Usually login_id, username, email, sAMAccountName, etc.)
After this tab has been configured, the Role mappings and Location mappings will need to be completed to map users to locations and roles within iiQ by OUs, groups, or any additional attribute that captures location or role for each user.
Creating a Scheduled Sync Task
To schedule the sync to occur automatically, you'll need to create a task in Windows Task Manager. You can do so by searching for Administrative Tools and selecting Task Scheduler. This will open the Task Scheduler window.
In the Task Scheduler window, start by clicking on Action > Create Basic Task...
This will open the Create Basic Task Wizard. At the very least, you will need to provide a name for the new task. You can also add a task if desired. Once complete, click Next.
In the next step, you will be asked to select when this task should Trigger. We recommend running it daily (overnight) for the most accurate user data. Please ensure you set the task to run regardless of whether a user is logged in or not on the server. Once complete, click Next.
For the next step, you will need to specify what action the task will take when running. Select Start a Program and then click on Next.
When specifying the action to perform, locate the file IncidentIQ.Connectors.MicrosoftAd.exe in the Program/script file browser. Supply the argument -usersync in the Add arguments field. And finally, you will need to indicate the path you unzipped the files to in the Start in field. Once complete, click Next.
In the final step, you may review all of the settings of your task. Once you have completed your review, check Open the Properties dialog for this task when I click Finish option and then click the Finish.
In the sync properties window, you will need to check Run whether user is logged on or not as well as Run with highest privileges. Click OK to complete the sync setup.
Mapping User Roles and Locations
At this point in time you will want to log back into the Incident IQ Microsoft Active Directory app to set your user roles and location mappings. These will indicate automatic role and location assignments for users during system syncs. You can find these settings in the Role Mappings and Location Mappings tabs.
You will want to immediately set a default Role and Location for users. These settings will act as fallback options in the event a user account does not match any custom mappings you set further down down in these tabs. We recommend using the following for these options:
- Default Role: During your initial setup you will want to set this to Guest. Once all of your custom mappings have been completed and user roles verified, you will most likely want to then set this to No Access instead.
- Default Role: You will want most likely want to either use the Central/District Office location for this, or create another specific location (such as Unassigned) for this.
When mapping to roles and locations, you may use groups, OU fragments, location name, or any combination of the three. Please note, you do not have to map locations and role by the same method.
The custom mappings section allows you to specify your user groups or OUs you wish to utilize for mapping users to their respective roles. Please note, when using OUs you will want to structure them in the same format as the examples below:
- OU=Staff and Faculty
- OU=IT Staff