Installing the ClassLink SSO Integration App

Guide Overview

The Classlink SSO App allows administrators to integrate Incident IQ with a local AD server. This allows districts the ability to automatically populate and update user data in iiQ directly from their AD server.

The following guide is designed to provide step-by-step instructions on how to install the ClassLink SSO Integration app, establishing a link with Classlink for SSO functionality, as well as setting up a nightly task to sync user data with Incident IQ.

 

Guide Index

You can use the following links below to quickly navigate to a specific section in this document. To quickly return to this index simply use the Return to Index link located at the end of any section.

  1. Creating an Active Directory User
  2. App Installation
  3. App Configuration
  4. Establishing the IDP/ISP Connector with Classlink
  5. Configuring the Active Directory Integration
  6. Creating a Scheduled Sync Task
  7. Mapping User Role and Locations

 

Creating an Active Directory User

Before beginning the installation process you will need to ensure you have the following:

  • An active directory vendor account that has the following permissions: 
    • Replicating directory changes.
    • Replicating directory changes in filtered set.
    • Replicating directory changes all.
    • Read.
  • A machine that runs .NET Framework v.4.5.1 or higher and also has network access to reach your district's AD server.

warning.pngImportant Note: You will need to complete this step before proceeding. If you are unfamiliar with how to grant these specific permissions to a user then please refer to the following Microsoft help guide on Giving Users Replicating Directory Changes Permissions.

[Return to Index]

 

App Installation

To install the Classlink SSO integration app, begin by selecting Incident IQ Apps > Browse on the left navigation bar. Scroll down to the Single Sign-On section and click on the Classlink SSO app

Installation_000.png

On the Classlink SSO app page click on Install.

Installation_002.png

Once the installation has been completed, click on Manage App Settings and continue to the next section to configure your Classlink SSO installation.

Installation_003.png

[Return to Index]

 

App Configuration

When accessing the Classlink SSO app for the first time after installation you will only see the Overview and two selectable options:  Enable User Login and Enable User Sync. Before doing anything else, you will need to check these two options and click Save.

App_Configuration_001.png

App_Configuration_002.png

From here, you will see more options appear on the app tabs list. Click on Sync Executable.

App_Configuration_003.png

This page will assist you in setting up your connector app configuration file. At the very least, you will need to provide the following information:

  • AD Username (You will want to use the service account created in [section 1] of this document)
  • AD Password
  • AD Domain (Example: district.k12.tx.us)
  • AD Server IP (12.3.4.56)

App_Configuration_004.png

If desired, you may also set up OU exclusions to prevent account information stored within select AD OUs from being brought over during system syncs. Please note that setting up filters is entirely optional and can be updated at any time.

App_Configuration_005.png

Additionally, you can also enable the sync to copy over additional AD Attributes as well such as Student/Employee ID and Grade if those data points exist in AD. As with OU filters, this setting is entirely optional and can be updated at any time.

App_Configuration_006.png

Once you have completed entering your configuration information, click on Download Executable to download the connector app. Please note, you will want to download this connector app to a device that has access to your AD server and also runs overnight.

App_Configuration_007.png

After downloading the connector file, you will want to run a manual sync to test the connection as well as download user data to Incident IQ. To do this, run the IncidentIQ.Connectors.MicrosoftAd application (ignore the CONFIG File and PDB File in this case.) In the connector app window that appears, click Run now.

App_Configuration_008.png

If the app runs successfully, a data packet of user data will be sent to Incident IQ that can then be used to run a system sync.

[Return to Index]

 

Establishing the IDP/ISP Connection with Classlink

At this point in time, you will need to set up the SSO functionality of the Classlink SSO app. To do so, begin by going to the app Overview tab and clicking on the Download Service Provider Metadata button.

Metadata_001.png

The following documentation provided by Classlink should walk you through the process of adding Incident IQ as a trusted provider in the Classlink SAML console:

Once the connection has been established, you’ll want to copy the following URL from the Classlink SAML console.

Classlink_SSO_SAML_Link.png

Next, you will need to paste this link into the URL field under the Identity Provider Settings tab within the Classlink SSO app within Incident IQ.

Classlink_SSO_SAML_Link_002.png

Additionally, further down in this tab you will also need to map SAML attributes needed for login. (Usually login_id, username, email, sAMAccountName, etc.)

Classlink_SSO_SAML_Link_003.png

After this tab has been configured, the Role mappings and Location mappings will need to be completed to map users to locations and roles within iiQ by OUs, groups, or any additional attribute that captures location or role for each user.

[Return to Index]

 

Creating a Scheduled Sync Task

To schedule the sync to occur automatically, you'll need to create a task in Windows Task Manager. You can do so by searching for Administrative Tools and selecting Task Scheduler. This will open the Task Scheduler window.

Task_Scheduler_2.png

In the Task Scheduler window, start by clicking on Action > Create Basic Task...

Task_Scheduler_1.png

This will open the Create Basic Task Wizard. At the very least, you will need to provide a name for the new task. You can also add a task if desired. Once complete, click Next.

Task_Scheduler_4.png

In the next step, you will be asked to select when this task should Trigger. We recommend running it daily (overnight) for the most accurate user data. Please ensure you set the task to run regardless of whether a user is logged in or not on the server. Once complete, click Next.

Task_Scheduler_3.png

For the next step, you will need to specify what action the task will take when running. Select Start a Program and then click on Next.

Task_Scheduler_5.png

When specifying the action to perform, locate the file IncidentIQ.Connectors.MicrosoftAd.exe in the Program/script file browser. Supply the argument -usersync in the Add arguments field. And finally, you will need to indicate the path you unzipped the files to in the Start in field. Once complete, click Next.

Task_Scheduler_6.png

In the final step, you may review all of the settings of your task. Once you have completed your review, check Open the Properties dialog for this task when I click Finish option and then click the Finish.

Task_Scheduler_8.png

In the sync properties window, you will need to check Run whether user is logged on or not as well as Run with highest privileges. Click OK to complete the sync setup.

Task_Scheduler_7.png

[Return to Index]

 

Mapping User Roles and Locations

At this point in time you will want to log back into the Incident IQ Microsoft Active Directory app to set your user roles and location mappings. These will indicate automatic role and location assignments for users during system syncs. You can find these settings in the Role Mappings and Location Mappings tabs.

You will want to immediately set a default Role and Location for users. These settings will act as fallback options in the event a user account does not match any custom mappings you set further down down in these tabs. We recommend using the following for these options:

  • Default Role: During your initial setup you will want to set this to Guest. Once all of your custom mappings have been completed and user roles verified, you will most likely want to then set this to No Access instead.
  • Default Role: You will want most likely want to either use the Central/District Office location for this, or create another specific location (such as Unassigned) for this.

Role_Mappings_001.png

Location_Mappings_Tab_001.png

When mapping to roles and locations, you may use groups, OU fragments, location name, or any combination of the three. Please note, you do not have to map locations and role by the same method.

Role_Mappings_002.png

Location_Mappings_Tab_002.png

The custom mappings section allows you to specify your user groups or OUs you wish to utilize for mapping users to their respective roles. Please note, when using OUs you will want to structure them in the same format as the examples below:

  • OU=Staff and Faculty
  • OU=Students
  • OU=IT Staff

Role_Mappings_003.png

Location_Mappings_Tab_003.png

[Return to Index]

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.