The Single Sign-on tab allows the district to configure their single sign-on preferences directly through the interface. This feature provides support for multiple single sign-on profiles.
In Users > Profiles, enable the sub-permission "Configure Single Sign-On" under System Preferences to allow the user access to the Single Sign-on tab. For users without this sub-permission, the Single Sign-on tab will not display.
1. In the Setup menu, click System Preferences.
2. Click the Single Sign-on tab.
3. Click Add a single sign-on profile and select the desired option.
The settings are displayed. The settings may differ depending on the single sign-on profile type. See Configuring a Single Sign-On Profile for the specific setup for each profile type. After completing the setup for the single sign-on profile, click Save.
General Settings
| Title | Description |
|---|---|
| Provider Title | The default Provider Title can be updated, as desired. The provider title is used on the button that displays on the Focus login screen. |
| Provider ID | Focus will generate a random provider ID. In best practice, the Provider ID should be updated to be more readable. The provider ID is used in URLs. Tip: You can go directly to an SSO profile by entering your Focus URL and adding ?/sso= followed by the provider ID. |
| Native Browser on Mobile | Select whether to use a native browser for mobile login requests. |
OpenID Settings
| Title | Description |
|---|---|
| API Hostname | Paste the API Hostname as provided in Duo. |
| Client ID | Paste the client ID as provided in Duo. |
| Client Secret | Paste the client secret as provided in Duo. |
| Redirect URL | Copy the redirect URL from Focus and paste into the appropriate area in Duo. |
General Settings
| Title | Description |
|---|---|
| Provider Title | The default Provider Title can be updated, as desired. The provider title is used on the button that displays on the Focus login screen, e.g. Sign in with Google. |
| Provider ID | Focus will generate a random provider ID. In best practice, the Provider ID should be updated to be more readable. The provider ID is used in URLs. Tip: You can go directly to an SSO profile by entering your Focus URL and adding ?/sso= followed by the provider ID. |
| Automatic Login Redirect |
Yes: When Automatic Login Redirect is set to Yes, end-users will be redirected to the SSO login page when navigating to the Focus login screen. No: When Automatic Login Redirect is set to No, end-users will not be redirected and the Focus login screen will load as expected. |
| Username Suffix | When Automatic Login Redirect is set to No, end-users can be redirected to the SSO login page when they type a username that ends in the entered Username Suffix on the Focus login screen and tab out of the Username input. |
| QR Code on Kiosk | Select Yes to enable signing in on the kiosk using a QR code. On the kiosk login screen, the user will tap to log in using SSO. A QR code will display for 30 seconds (after 30 seconds, the kiosk login screen will redisplay). The user will scan the QR code with their phone. Once authentication is complete, the user will be logged in on the kiosk. |
Google Sign-In Settings
| Title | Description |
|---|---|
| Client ID | Paste the client ID into Focus as provided in the Google Cloud console. |
| Client Secret | Paste the client secret into Focus as provided in the Google Cloud console. |
| Force Authorization |
The Force Authorization flag controls when to require the end-user to enter/re-enter credentials. Available options include After Logout, Always, and Never.
|
| User Mapping | Select whether to map users between the identity provider and Focus using their Focus Username or Focus Email. |
| Redirect URL | Copy the redirect URL from this field and paste it into the "Authorized redirect URIs" field in the Google Cloud console. |
General Settings
| Title | Description |
|---|---|
| Provider Title | The default Provider Title can be updated, as desired. The provider title is used on the button that displays on the Focus login screen, e.g. Sign in with OAuth 2.0. |
| Provider ID | Focus will generate a random provider ID. In best practice, the Provider ID should be updated to be more readable. The provider ID is used in URLs. Tip: You can go directly to an SSO profile by entering your Focus URL and adding ?/sso= followed by the provider ID. |
| Automatic Login Redirect |
Yes: When Automatic Login Redirect is set to Yes, end-users will be redirected to the SSO login page when navigating to the Focus login screen. No: When Automatic Login Redirect is set to No, end-users will not be redirected and the Focus login screen will load as expected. |
| Username Suffix | When Automatic Login Redirect is set to No, end-users can be redirected to the SSO login page when they type a username that ends in the entered Username Suffix on the Focus login screen and tab out of the Username input. |
| Native Browser on Mobile | Select whether to use a native browser for mobile login requests. |
| QR Code on Kiosk | Select Yes to enable signing in on the kiosk using a QR code. On the kiosk login screen, the user will tap to log in using SSO. A QR code will display for 30 seconds (after 30 seconds, the kiosk login screen will redisplay). The user will scan the QR code with their phone. Once authentication is complete, the user will be logged in on the kiosk. |
OAuth Settings
| Title | Description |
|---|---|
| Client ID | Paste the client ID value into Focus as provided in Google Cloud console/the indentity provider. |
| Client Secret | Paste the client secret value into Focus as provided in Google Cloud console/the indentity provider. |
| Authorization HTTP Header | Enter the Authorization HTTP Header, as provided by the identity provider. For Google and Azure, enter Bearer {access_token} as in the provided example. |
| Scope | You may leave email entered as the scope, or if needed, enter a different scope. |
| Force Authorization |
The Force Authorization flag controls when to require the end-user to enter/re-enter credentials. Available options include After Logout, Always, and Never.
|
OAuth Endpoints
| Title | Description |
|---|---|
| Authorization Endpoint |
Paste the value into Focus as provided by Google Cloud console/the identity provider. |
| Token Endpoint |
Paste the value into Focus as provided by Google Cloud console/the identity provider. |
| User Info Endpoint |
Paste the value into Focus as provided by Google Cloud console/the identity provider. |
User Lookup Query
The User Lookup Query must be entered as a SQL query. This query returns the Focus user that will be mapped to a given access token. The query must return a ‘username’ column. You may reference the user info JSON string using {userinfo}.
Enter the appropriate query in the User Lookup Query SQL field and click Save. If using the default query, make sure to remove LIMIT 0 from the query, and click Save.
General Settings
| Title | Description |
|---|---|
| Provider Title | The default Provider Title can be updated, as desired. The provider title is used on the button that displays on the Focus login screen, e.g. Sign in with OpenID Connect. |
| Provider ID | Focus will generate a random provider ID. In best practice, the Provider ID should be updated to be more readable. The provider ID is used in URLs. Tip: You can go directly to an SSO profile by entering your Focus URL and adding ?/sso= followed by the provider ID. |
| Automatic Login Redirect |
Yes: When Automatic Login Redirect is set to Yes, end-users will be redirected to the SSO login page when navigating to the Focus login screen. No: When Automatic Login Redirect is set to No, end-users will not be redirected and the Focus login screen will load as expected. |
| Username Suffix | When Automatic Login Redirect is set to No, end-users can be redirected to the SSO login page when they type a username that ends in the entered Username Suffix on the Focus login screen and tab out of the Username input. |
| Native Browser on Mobile | Select whether to use a native browser for mobile login requests. |
| QR Code on Kiosk | Select Yes to enable signing in on the kiosk using a QR code. On the kiosk login screen, the user will tap to log in using SSO. A QR code will display for 30 seconds (after 30 seconds, the kiosk login screen will redisplay). The user will scan the QR code with their phone. Once authentication is complete, the user will be logged in on the kiosk. |
OpenID Settings
| Title | Description |
|---|---|
| Issuer URL | Paste the issuer URL into Focus as provided by Google/the indentity provider, e.g. https://accounts.google.com. |
| Client ID | Paste the client ID into Focus as provided in the Google Cloud console/the indentity provider. |
| Client Secret | Paste the client secret into Focus as provided in the Google Cloud console/the indentity provider. |
| Force Authorization |
The Force Authorization flag controls when to require the end-user to enter/re-enter credentials. Available options include After Logout, Always, and Never.
|
| User Mapping | Select whether to map users between the identity provider and Focus using their Focus Username or Focus Email. |
| Redirect URL | Copy the redirect URL from Focus and paste it into the appropriate area in the Google Cloud console/the indentity provider. |
The following procedure provides an overview of setting up the SAML profile type. For details on each setup field, see General Settings, Identity Provider Settings, Identity Provider Certificates, Service Provider Settings, Service Provider Keys, Service Provider Certificates, Technical Contact, and User Lookup Query below.
1. After adding the SAML profile, scroll down and click the green button next to the Service Provider Keys heading.
The Signing Key and Encryption Key will generate. Click Save.
The Signing Certificate and Encryption Certificate will populate in the Service Provider Certificates section.
2. Copy the Metadata URL in the Service Provider Settings section of the screen and paste it into the address bar in a new browser tab.
The metadata is displayed.
3. Save an XML file of the metadata, upload the file into the "Upload metadata file" area in Azure, and save the basic SAML configuration.
4. Copy the metadata URL from Azure and paste it into the Metadata URL field in Focus. Remove the portion of the URL that contains appid= and the values that follow.
5. After entering the Metadata URL, click the green icon in the Identity Provider Settings header. This will populate the remaining fields in the Identity Provider Settings section of the screen.
6. Set the Ignore Unencrypted Assertions field to No.
7. Set the User Lookup Query, and click Save. See User Lookup Query below for more information.
General Settings
| Title | Description |
|---|---|
| Provider Title | The default Provider Title can be updated, as desired. The provider title is used on the button that displays on the Focus login screen, e.g. Sign in with SAML. |
| Provider ID | Focus will generate a random provider ID. In best practice, the Provider ID should be updated to be more readable. The provider ID is used in URLs. Tip: You can go directly to an SSO profile by entering your Focus URL and adding ?/sso= followed by the provider ID. |
| Automatic Login Redirect |
Yes: When Automatic Login Redirect is set to Yes, end-users will be redirected to the SSO login page when navigating to the Focus login screen. No: When Automatic Login Redirect is set to No, end-users will not be redirected and the Focus login screen will load as expected. |
| Username Suffix | When Automatic Login Redirect is set to No, end-users can be redirected to the SSO login page when they type a username that ends in the entered Username Suffix on the Focus login screen and tab out of the Username input. |
| Native Browser on Mobile | Select whether to use a native browser for mobile login requests. |
| QR Code on Kiosk | Select Yes to enable signing in on the kiosk using a QR code. On the kiosk login screen, the user will tap to log in using SSO. A QR code will display for 30 seconds (after 30 seconds, the kiosk login screen will redisplay). The user will scan the QR code with their phone. Once authentication is complete, the user will be logged in on the kiosk. |
Identity Provider Settings
| Title | Description |
|---|---|
| Metadata URL | The URL of the Identity Provider’s XML metadata. |
| Green Icon | Once the Metadata URL has been entered, click the green Metadata URL button to auto-populate the Identity Provider Settings. |
| Entity ID | The Identity Provider’s Entity ID or Issuer URL. |
| Single Sign-On Endpoint | The Identity Provider’s single sign-on endpoint. When utilizing ADFS, “wa=wsignout1.0” must be appended to the Single Sign-On Endpoint. |
| Single Logout Endpoint | The Identity Provider’s single logout endpoint. |
| Auto-update Certificates |
Yes: When Auto-update Certificates is set to Yes, Focus will auto-update Identity Provider certificates every 10 minutes or immediately upon expiration. The Metadata URL must be entered in order to utilize the Auto-update Certificates feature. No: When Auto-update Certificates is set to No, expired certificates must be manually updated. |
| Ignore Unencrypted Assertions |
This should be set to No. Yes: When Ignore Unencrypted Assertions is set to Yes, Focus will ignore any claims from the Identity Provider that are not encrypted. No: When Ignore Unencrypted Assertions is set to No, Focus will process claims from the Identity Provider that are not encrypted. |
| NameID Format | If utilizing the NameID in the User Lookup Query, the NameID Format must be entered. Options include SAML 1.1 Unspecified, SAML 1.1 Email Address, SAML 2.0 Persistent, and SAML 2.0 Transient. |
| Allow Creating NameID |
Yes: When Allow Creating NameID is set to Yes, Focus will send a flag to the SAML server acknowledging it is allowed to create a new user for the given credentials. No: When Allow Creating NameID is set to No, Focus will send a flag to the SAML server indicating that it should not create a new user for the given credentials. |
Identity Provider Certificates
| Title | Description |
|---|---|
| Signing Certificate(s) | The Identity Provider’s signing certificates; the server will utilize the corresponding key to sign messages. Focus expects Base64-encoded PEM format. Separate multiple certificates with a new line. |
| Encryption Certificate(s) | The Identity Provider’s encryption certificates; the server will utilize the corresponding key to encrypt messages. Focus expects Base64-encoded PEM format. Separate multiple certificates with a new line. |
Service Provider Settings
| Title | Description |
|---|---|
| Display Name | The Display Name will default to the title set up in the site’s configuration file. The SSO login page can choose to utilize this in its login form. |
| Description | The SSO login page can choose to utilize the Description in its login form. |
| Logo URL | The Logo URL will default to {SITEURL}/logo.png. The SSO login page can choose to utilize this in its login form. |
| Force Authorization |
The Force Authorization flag controls when to require the end-user to enter/re-enter credentials. Available options include After Logout, Always, and Never.
|
| Signature Algorithm | The algorithm to use when signing messages. Options include RSA with SHA1, RSA with SHA256, and RSA with SHA512. |
| Sign Metadata | The Sign Metadata option determines whether or not to add a signature to the Service Provider XML metadata. |
| Sign Login Requests | The Sign Login Requests option determines whether or not to add a signature to login request messages. These messages are sent when the end-user logs in from the Focus SSO portal flow. |
| Sign Logout Requests | The Sign Logout Requests option determines whether or not to add a signature to logout request messages. These messages are sent when the end-user logs out from Focus. |
| Sign Logout Responses | The Sign Logout Responses option determines whether or not to add a signature to logout response messages. These messages are sent when the end-user logs out from the SSO portal. |
Service Provider Keys
| Title | Description |
|---|---|
| Signing Key | Service Provider’s private signing key. The Signing Key is used to sign metadata and any messages that need to be signed. |
| Encryption Key | Service Provider’s private encryption key. The Encryption Key is used to decrypt encrypted data from the SSO server. |
| Green Icon | Click the green Service Provider Keys icon to auto-generate and auto-fill the Signing Key and the Encryption Key. |
Service Provider Certificates
| Title | Description |
|---|---|
| Signing Certificate | Signing Certificates are auto-populated and correspond to the Signing Key. |
| Encryption Certificate | Encryption Certificates are auto-populated and correspond to the Encryption Key. |
Technical Contact
| Title | Description |
|---|---|
| First Name | Technical contact information auto-populates with the information of the logged-in Focus user setting up the SSO profile. This field is visible in the Metadata URL and can be adjusted as necessary. |
| Last Name | Technical contact information auto-populates with the information of the logged-in Focus user setting up the SSO profile. This field is visible in the Metadata URL and can be adjusted as necessary. |
| Technical contact information auto-populates with the information of the logged-in Focus user setting up the SSO profile. This field is visible in the Metadata URL and can be adjusted as necessary. |
User Lookup Query
The User Lookup Query must be entered as a SQL query. This query returns the Focus user that will be mapped to a given SAML NameID and SAML attributes. The query must return a ‘username’ column. You may reference any attribute using {attr:[FriendlyName]} or {attrname:[Name]}. The NameID may be referenced by using {NameID} and the NameID format using {Format}.
Enter the appropriate query in the User Lookup Query SQL field and click Save. If using the default query, remove LIMIT 0 from the query, and click Save.
The query should return a single Focus username for a given set of NameID plus attributes returned from the SAML server. If no Focus user matches the NameID plus attributes, the query should return NULL or no rows.
1. To delete an SSO profile, click Delete Profile in the Actions section of the screen.
2. In the confirmation message, click Yes.
The View Sessions button allows you to view recent sessions, including from other users, allowing for troubleshooting.
1. In the desired SSO profile, click View Sessions in the Actions section of the screen.
A table is displayed, displaying up to 20 recent sessions, within the last 15 minutes.
The Logged In and Logged Out columns display when the user successfully logged in or out of the SSO provider, not Focus.
2. Click Details to view session details in a pop-up window.
3. Click the X to close the window when finished.
To test an SSO profile, you can log into Focus using local credentials. Open an incognito window and attempt to log in to Focus using SSO. In Focus, click "View Sessions" to view the session details for troubleshooting.