G Suite: How to configure teacher logins

Your SchoolCloud system supports G Suite as an authentication method for teachers. Authentication is performed using SAML (Security Assertion Markup Language) which allows an Identity Provider (Google in this case) to send parts of their user attributes to a Service Provider (in this case SchoolCloud).

NOTE: As we don't currently support teachers clicking on the app tile within G Suite, Teachers must access the normal SchoolCloud system login page, where they can then click a link to perform the single sign-on with G Suite. We recommend your teachers bookmark that link for faster access.

Prerequisites

You need to host the metadata XML file output by the SAML App setup in a web accessible directory. The location it is hosted in doesn't matter as long as we can access it.

How do I setup G Suite for SAML authentication?

Google defines applications using the authentication method as an App. We don't have a "published" application on G Suite as yet, so you need to manually define the authentication method when setting it up. Before proceeding, it is important to note that it takes up to 24 hours for SAML settings to take effect for all users in G Suite so we recommend performing the setup on a Friday afternoon, or some other time when you expect the school to be quiet.

  1. Sign into your Google Admin console by going to https://admin.google.com
  2. Navigate into the Apps > SAML Apps section. If you don't see the Apps icon, you might need to follow this guide https://support.google.com/a/answer/3052550

    Apps IconSAML Apps Icon
  3. Click the "+" icon at the bottom right of the screen to add a new SAML App.
  4. Next, click the Setup my own custom app button at the bottom of the Enable SSO for SAML Application window.

  5. Click the IdP Metadata Download button (option 2) and save it somewhere on your computer.

    In addition, copy the Entity ID from the "Option 1" section. You'll need these later.

    Click Continue once you have the file.
  6. On the next step, you'll need to provide some identification information for the application. This information will be shown to other users.

    If you would like to use our logo you can right click on the following image to save a copy:    Note that the application name field does not allow you to place the (grammatically correct) apostrophe on the end of "Parents".

    Once this is complete, click the Next button.
  7. Setup the Clubs & Events' ACS URL and a few other details regarding logging into our service in the settings for this page below:

    ACS URL: https://auth.parentseveningsystem.co.uk/Providers/Saml/Acs
    Entity ID: https://auth.parentseveningsystem.co.uk
    Start URL: https://auth.parentseveningsystem.co.uk/ReplaceThisWithYourSubdomain/teacher
    Signed Response: Disabled
    Name ID: Basic Information - Primary Email
    Name ID Format: Transient

    For the Start URL, be sure to replace ReplaceThisWithYourSubdomain with the portion of the web-address you use to access Clubs & Events after the https:// and before .schoolcloud.co.uk or .parentseveningsystem.co.uk

  8. Provide the attribute mapping rules to Google by adding the following attributes to the map:
    Attribute Name Category User Field
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Basic Information Primary Email

  9. Click Finish. The following message confirms the setup:

  10. Click Ok to dismiss the message and you will see the SAML App page.

    Click the menu icon to the right of the application title then select an option to turn the application on for some users.

    Remember that the change takes 24 hours to propagate before taking effect for the users selected, and you will see a warning to this effect.
  11. While this propagation occurs, add the metadata file you downloaded in step 5 to a web accessible directory - i.e. a directory that is open to access via the internet from the IP addresses of our servers.

    Take a note of the URL that will be used to access the directory as you will need it later.

    Our server IPs are:

    • 3.11.136.51
    • 3.11.149.57
    • 3.11.229.108
  12. Go to your Clubs & Events home page then to Settings > Teacher Authentication > SAML and paste the URL, created in step 11, into the Metadata URL box.

    Paste the Entity ID you copied in step 5 into the Entity ID box.
    Click Save.
  13. Allow the full 24 hours for the settings to propagate.
  14. To test the newly created GSuite logins, go to the teacher login page. You should be presented with a login and continue button.

    Click login and continue and you should be forwarded to GSuite's login page.

    If you're already logged into their services, you will be logged in directly to your SchoolCloud account.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.