ClickView Active Directory Integration
Installation and User Guide
Please Note: ClickView SSO (ADI) is no longer supported as of 2016*.
Please look into our alternate methods of Single Sign On.
• SAML (ADFS) - https://www.clickviewsupport.com/hc/en-au/articles/215120698
• Azure AD (Office365) - https://www.clickviewsupport.com/hc/en-au/articles/360024663994
• Google Apps - https://www.clickviewsupport.com/hc/en-au/articles/215129008
Please contact ClickView Support if you require assistance.
*ADI is still in extended supported for WA DoE Schools.
What is ClickView SSO (ADI)
ClickView Active Directory integration, also known as ClickView SSO (ADI), is a plugin that is installed at the institution level and provides a same sign on environment to ClickView Online for schools who have adopted Active Directory as their account management service. Because ADI only integrates with Active Directory, it allows users use the same credentials they would for other school services, but it does not provide a true single sign on experience compared with other SAML based options. Because of this, we strongly recommend you look at alternatives before you consider this plugin.
Internet Information Services (IIS) plays an integral part in the operation of the ClickView SSO (ADI). In the first section we will go through the IIS features needed for the ClickView SSO (ADI) connector to run optimally.
- If you are installing the ClickView ADI connector on Windows Server 2008 R2, follow the IIS 7.5 installation guidance.
- If you are installing the ClickView ADI connector on Windows Server 2012 or 2012 R2, follow the IIS 8.0 / 8.5 guidance.
Prior to installing the ClickView SSO (ADI), the following key Windows components are recommended to be installed on a dedicated server machine to ensure the best possible user experience:
- Internet Information Service (IIS) 7.5, 8.0 or 8.5
- .NET Framework 4.0 framework installed / initialised - only required as a separate install if the ADI software is being installed onto the 2008 R2 platform (http://www.microsoft.com/en-au/download/details.aspx?id=17718). This must be installed prior to commencing the setup of IIS
- The Server running the ADI software must be joined to a Windows base Active Directory Domain running at a Windows Server 2003 functional level or higher.
- User Accounts in the Domain must have valid account information set in the 'E-mail' or 'UserPrincipalName' (UPN) field within Active Directory
- Ensure a public DNS address has been setup and configured to provide external access to your ClickView ADI site, as this will be required to allow your users to access ClickView Online using ADI outside of the institutions network. The specified DNS address must be set within ClickView Online as shown in 'Step 5' of this tutorial to ensure full functionality of the ADI product.
- The ADI software and your unique API key - please e-mail ClickView Support or lodge a Support Request to obtain these
Once ADI has been setup and is operational at your institution it will become your sole method for accessing the ClickView Online platform.
Note: ClickView SSO ADI can only be installed once per institution - if your institution runs separate domains for users i.e. one domain for Staff and a different domain for Students please contact ClickView Support for further advice on implementing it.
Click 'Start' -> 'All Programs' -> 'Administrative Tools' -> 'Server Manager'
In the 'Server Manager' window, scroll down to 'Roles Summary' and then click 'Add Roles' Select 'Web Server (IIS)' and click 'Next'
A. Common HTTP Features
- Static Content
- Default Document
- Directory Browsing
- HTTP Errors
- HTTP Redirection
B. Application Development
- ASP .NET
- .NET Extensibility
- ISAPI Filters
C. Health and Diagnostics
- HTTP Logging
- Request Monitor
D. Security - Select all subsections
- Static Content Compression
- Dynamic Content Compression
F. Management Tools
- IIS Management Console
Once the above roles have been selected click 'Next' to confirm the installation of the components. Click 'Install' and the IIS configuration will begin.
When the installation is complete you will be presented with an installation summary, click 'Close'.
Prior to installing the ClickVie Active Directory Connector we need to delete the Default Website that was created during the initial IIS Setup. To do this go to 'Start' -> 'Administrative Tools' -> 'Internet Information Services (IIS) Manager'. Expand the server tree until you reach 'Default Website'. Right Click and select 'Remove'. Acknowledge the warning and select 'Yes'.
Click on the 'Server Manager' icon which is located on the bottom left hand corner of the 2012 or 2012 R2 desktop.
Click on 'Add roles and features'
Progress to the 'Server Roles' section and check the 'Web Server (IIS)' box
Click on 'Next' and then progress to the 'Web Server Role (IIS)' section > 'Role Services'
Within 'Role Services' ensure the following entities are checked:
A. Web Server
B. Common HTTP Features
- Default Document
- Directory Browsing
- HTTP Errors
- Static Content
- HTTP Redirection
C. Health and diagnostics
- HTTP Logging
- Static Content Compression
- Dynamic Content Compression
E. Security - Tick all subsections
F. Application Development
- .NET Extensibility 3.5
- .NET Extensibility 4.5
- Application Initialization
- ASP .NET 3.5
- ASP .NET 4.5
- ISAPI Extensions
- ISAPI Filters
- Server Side Includes
Click 'Next' to commence the installation of these required 'Roles. When the installation has finished the following message should appear:
Prior to installing the ClickView Active Directory Connector we need to delete the Default Website that was created during the initial IIS Setup. To do this go to 'Start' -> 'Administrative Tools' -> 'Internet Information Services (IIS) Manager' Expand the server tree until you reach 'Default Website' Right Click and select 'Remove' > Acknowledge the warning and select Yes.
Reboot the server and you can commence the ClickView ADI install process upon reboot.
1. In the event .NET Framework 4.0 is not installed or initialised on the system, you will be presented with the following prompt to install .NET Framework 4.0, proceed through the steps to install .NET Framework 4.0.
2. Run the ClickView SSO and AD Connector Setup Wizard that has been provided to you by ClickView
3. Read and Accept the enclosed Software End User License Agreement (EULA). Click Next once completed.
4. Enter the Website Name you would like to use for your SSO Login Page. This will be the hostname attached to the IIS Binding of the site. Click 'Next' once completed. If defining a FQDN please ensure to make the necessary, A Record changes within your DNS.
5. Enter the necessary information as requested on the following screen. This information will be used to setup your IIS Application pool that will host the SSO site. For the Custom Account you will need to enter a username that has network access above the Guest level and the ability to query Users and Groups using the LDAP protocol on the Active Directory you are going to point the ClickView Active Directory Connector to.
A verification of the defined Custom Account credentials will take place, if the specified credentials are correct, you will be presented within the following message.
Click 'OK' to continue.
6. It is now necessary to enter the following information in to the next step of the ClickView Active Directory Connector Setup Wizard.
Your institutions unique API key - This will have been provided to you by ClickView, if you do not have a copy of it, please contact ClickView Support to obtain it
Your School name - Your full school name
Active Directory Address - This should be the IP or DNS name of your Active Directory Domain Controller (DC) that you are setting the ClickView Active Directory Connector (ADI) to bind to
Edit Groups - This should be set to a Security or Distribution group that already exists within your Active Directory setup. Any user wishing to access the Administration side of the ClickView Active Directory Connector will need to be a direct member (nested groups are not supported) of this group. ClickView recommends this is set to an administrative group within your AD structure at the institution such as 'Administrators' or 'Domain Admins' to prevent unauthorised access.
Example of how settings should be structured during input
Click 'Next' to proceed
7. You will now be presented with the option to specify whether the ClickView Active Directory Connector Setup requires a proxy server to be defined in order to reach the internet
If a proxy server is required for upstream access, simply define the 'Proxy Address' and 'Port' within the setup wizard.
Note: If your proxy server requires user authentication for upstream access, ClickView recommends that the following entry is whitelisted on your proxy server - 'sso.clickview.com.au' this is required to be whitelisted, as it is not currently possible to define proxy authentication within an IIS configuration web file.
8. You can now change where the ClickView Active Directory Connector setup is installed to. Once you have selected the appropriate installation directory, click 'Next' and 'Install' to commence the installation.
9. When the installation completes you will receive a message confirming that the ClickView Active Directory Connector Setup Wizard has completed.
You will be prompted to restart your server. ClickView recommends you restart the server immediately before proceeding with the configuration of the ClickView Active Directory Connector Setup Wizard
1. It is necessary to ensure that the 'Custom Account' defined during the installation of the ClickView Active Directory Connector setup has full control to the ClickView Active Directory Setup installation directory. To confirm this, click on 'Start' > 'Administrative Tools > 'Internet Information Services (IIS) Manager' > within the start page of IIS expand the server name > 'Sites' > you will see the ClickView Active Directory Connector Setup listed within here, right-click on this site > 'Edit Permissions'
This will present you with the installation directory properties, click on the 'Security' tab and click 'Edit'
This will present you with the 'Security' objects permissions. Ensure that the 'Custom Account User' which was specified during the initial install of the ClickView Active Directory Connector Setup is added and granted 'Full Control' Once this user has been added click 'Apply' and then 'OK'
2. We are now ready to configure the ClickView Active Directory Installer Group Mappings. To access this, launch a browser and type in the computer name or IP address of the server which the ClickView Active Directory Connector has been installed to - this should take you to the default Sign in Page for the ClickView Active Directory Connector.
If you are doing this on the server which you have installed the ADI module on to, you can use 'http://localhost' (as done in the example below)
Note: Please ensure you are using Internet Explorer 11 or higher, Firefox 23.0 or higher or Google Chrome 30.0 or higher when setting the Group Mappings
Add the following on to the 'http://' address '/admin/index' so the above example URL would now become 'http://localhost/admin/index' This will present you with the following page:
Click on the 'Customise group mapping' page:
This will present you with a list of predefined Year Groups - Kindergarten to Staff
We now need to assign the predefined ClickView Active Directory Connector Year Groups to your institutions Active Directory groups. To do this click on the predefined year groups that you wish to assign a group to and it should present you with a list of all the available Security and Distribution groups that your Active Directory Domain Controller (DC) contains. To locate the specific group(s) that you wish to add to the predefined year groups, simply start typing in the name of the group -in our case we have an Active Directory Security group named 'Year7' which we are going to tie to the 7 predefined Year 7 group.
Note: You can add as many Active Directory Groups in to the predefined Year groups as is necessary for your institution. If you run a 'Nested' Active Directory Environment. You will need to assign all the groups that encompass the nestings, in to the mappings individually, as nested groups are not currently supported within the ClickView Active Directory Connector (ADI) software.
Once you are satisfied that all AD groups which contain the users who be accessing ClickView using SSO have been added. Click on 'Save'
You will be presented with a message confirming the group mappings have been successfully saved.
3. Browse back to the default sign-in page for the ClickView Active Directory Installer, we should now be able to login using our network credentials:
If the specified credentials are correct the user should be authenticated to ClickView Online.
Note: there are multiple access methods available for authentication once the ClickView Active Directory Connector setup has been setup. For more information on this please follow this tutorial
The next step is to set up the maximum permitted rating within ClickView Online. This will determine which content users can see and can be used to ensure students do not material which is not suitable for them to watch. To achieve this, browse to your region's ClickView Online default sign-in page.
For Australian customers this will be https://online.clickview.com.au for New Zealand customers the address is https://online.clickview.co.nz. For United Kingdom customers this will be https://online.clickview.co.uk.
Login to ClickView Online using your institutions ClickView Online Account Administration details - if you are unsure of what these are, contact ClickView Customer Service to obtain them.
Once you are logged in click on 'Manage Users' > 'Manage Group Access' you will be presented with the same list of predetermined year groups that were seen during the Group Mappings configuration of the ClickView Active Directory Connector.
Set the maximum permitted rating of each year group to an appropriate value and then click on 'Save'
The video ratings are set from within the ClickView Publisher software. If your content does not have a rating, it will only appear for those with ‘Unrestricted’ group access. ClickView recommends that you verify the rating of all content within your ClickView setup to ensure it is correct and allows for the appropriate content access.
Note: The ratings page will differ depending on which region your institution is located.
It is possible to fully customise the sign in page that the ClickView Active Directory Connector uses. By default, this is what the ClickView Active Directory Connector Sign-in page displays as
1. To customise this, browse to the administration page for the ClickView Active Directory Connector and select 'Customise SSO sign in screen'
2. You will be presented with the login screen within a HTML editor. From here you can choose to edit the layout visually, or edit the layout through the HTML source code.
3. Once you have finished your editing, click the Save button.
4. Your login page has own been saved.
Adding your institution's SSO URL to ClickView Online Management is a crucial step, as it allows your institution's SSO URL to be actively utilised within many ClickView products, such as the ClickView App for iOS and Android, and the ClickView App for Windows and Mac OS X. ClickView Online can be set up to redirect automatically to your institution's SSO URL for login once a user has input their e-mail address into the SSO sign-in box; as seen in the screenshot below.
1. Log into your institution's ClickView Online Management account (Administrator Account) via ClickView Online.
2. At the top of the page, click 'Library Management'. Below this, click on 'SSO Management'. In the drop down box with the text 'Please select IdP', select 'ADI'. The screenshot below illustrates this.
3. Add your institution's SSO URL within the 'SSO login page url' textbox. Ensure that you add your institution's full SSO URL, including the protocol (https:// or http://). Click 'Save' to the right of the textbox for confirmation.
4. E-mail ClickView Technical Support with a list of your institution's e-mail domains. This will ensure that when a user enters an e-mail address into the SSO sign in page, it will automatically redirect them to your institution's unique SSO URL for log in. This is a crucial step for ease of use for users using the ClickView App (for all platforms). The below screenshot can be used as a template when e-mailing ClickView Technical Support with your institution's e-mail domains.
Hello ClickView Technical Support,
Myschool has just recently set up SSO for use at our institution. We have made our SSO URL publicly accessible (so it is accessible outside of our school network for users to log into ClickView Online) and we have added the unique SSO URL in Myschool’s ClickView Online Management.
Here is a list of email domains our institution uses, so you are able to set up email domain redirects from ClickView Online to our school’s unique SSO address.
Our students use: @students.myschool.edu.au
Our teachers use: @staff.myschool.edu.au
Other users use: @myschool.edu.au
Thank you and kind regards,
New SSO User
Note: A different log in page will be displayed for mobile devices. A mobile friendly log in page will be displayed when accessing ClickView Online from a mobile platform (iOS and Android).
In order to allow your IIS page to be accessible via a HTTPS (secure) connection, an SSL certificate will need to be installed onto the server. An SSL certificate will need to be purchased from a vendor (i.e. VeriSign, DigiCert etc.). Depending upon your institution, SSL certificates may be provided by a governing body, rather than individually purchased and created.
1. Obtain an SSL certificate (.cer file).
2. From the start screen, click or search for 'Internet Information Services (IIS) Manager'. Open it.
3. Click on the name of your server in the left hand pane.
4. In the centre pane, double-click on 'Server Certificates'
5. In the right hand pane under 'Actions', click 'Complete Certificate Request...' to open the Certificate Wizard.
6. The 'Complete Certificate Request' window should be displayed. Click on the '...' under 'File name containing the certification authority's response:'. Browse to the '.cer' file. Set a 'friendly' name for the certificate to distinguish the certificate from other certificates which may be installed on the server. The below screenshot uses 'yourdomain.com'. This name is not governed by the certificate itself and is simply used for identification purposes for the system administrator when binding the certificate to an IIS page. Specify the suitable certificate store for the new certificate; generally, 'Personal' is used. Click 'OK' to begin the installation.
1. Once the certificate has been installed. Ensure you are in the 'Internet Information Services (IIS) Manager'. Click to expand 'Sites' within the left hand pane.
2. In the right hand pane below 'Actions', click 'Bindings...'.
3. Within the site bindings window, click 'Add...'
4. Under 'Type:', within the dropdown menu, click 'https'. It is generally preferable to set 'IP address:' to 'All Unassigned' to ensure all IP addresses are covered if being used on multiple NICs. Port 443 is also generally used for SSL connections. The 'Host name:' is the URL of the SSO log on page. Leave 'Require Server Name Indication' unticked.
NOTE: If you would like to only allow HTTPs connections to the SSO login page, it is recommended to remove the HTTP binding from the 'Site Bindings' window.
5. Click 'OK' to finalise the assignment of the SSL certificate. The SSO login page for your institution should now be configured to accept secure connections.