Azure AD SSO

This article will provide guidance to configure SSO for ClickView Online with Microsoft Azure Active Directory. This is the underlying platform for servicing Office365 subscriptions. 

Important Note: If the implementation of Single Sign-On at your institution will lead to a change in e-mail addresses for users, please inform ClickView Technical Support when sending your completed SSO setup information so that we can migrate existing user data such as Workspaces and Playlists.

You will need to fill in and provide the SSO Onboarding document once the configuration is complete.

If you are not sure of this, please contact ClickView Technical Support for further guidance prior to commencing the SSO setup.

Additionally, please ensure that your users are assigned to appropriate Staff and K-12/13 year groupings as they will be necessary to complete the onboarding document. If you need to create custom groups for (e.g.) 'AllStaff' or 'Year 6' students, now is the appropriate time to do this. If you use ADConnect software to synchronise user groups from your on-premise AD, please ensure that this is done correctly, and that all users are properly added as members of the respective groups. This document does not go into detail on the workings of ADConnect. 

Please select your region:

AU Region:

Application Registration

1. Sign in to Portal Azure via https://portal.azure.com and open the App Registration section by selecting the App registrations option (not the App registrations (Legacy) section. Within this section, you'll need to select "New Registration"

mceclip1.png

 

2. Opening the New Registration section will open the below section. Within this section, you'll need to define a name for the application itself, and decided which Account types will be able to use the connection. We recommend the following details:

Name: ClickView Online
Supported Account Types: Accounts in this organizational directory only

Redirect URI: https://saml-in4.clickview.com.au/Shibboleth.sso/SAML2/POST

Once you've entered these details you'll need to click the Register button at the bottom of the section.

mceclip2.png

3. This will open the below application view, this contains all of the details and settings you'll make use of to customise the connection between Azure and ClickView. To complete the setup however you'll need to browse to the branding option highlighted below.

chrome_2019-06-14_17-31-12.png

Within this section you'll need to populate the following details:

HomePage URL: https://saml-in4.clickview.com.au/Shibboleth.sso/CLICK5678

Once this has been done you'll need to select Save at the top of this section.

NOTE: The HomePage URL is https://saml-in4.clickview.com.au, followed by '/Shibboleth.sso/' and then your ADM username.

e.g. https://saml-in4.clickview.com.au/Shibboleth.sso/CLICK5678

If you do not know your ADM username, please contact ClickView Customer Support and they can provide this information to you.

4. Once you've completed Step 3, you'll need to move to the authentication tab, this will open the below section. As you'll be able to see it already contains our redirect URL that we specified when creating the registration.

Within this section all you'll need to do is update the Logout URL to be the following:

Logout URL: https://login.windows.net/common/oauth2/logout

mceclip3.png

5. Now we will need to move to the Expose an API section and set the Application ID URI, which can be found in the highlighted section below. The Application ID URI will need to be set to the following, and will overwrite the default GUID displayed in this section initially:

Application ID URI: https://saml-in4.clickview.com.au/Shibboleth

chrome_2019-06-14_17-44-50.png

6. Almost there, now we need to move to the Manifest section which can be accessed from the left nav, within the Manifest the following values will need to be updated to the following.

"appRoles": [],

"groupMembershipClaims": "SecurityGroup",

Once this has been done you'll need to save the manifest itself, by clicking the save button at the top of the section. We're now done!

Onboarding

We now move to the on-boarding part of the setup: retrieving the Federation Metadata endpoint, and the object IDs for each of the groups that will be used to determine which year level the user belongs to or if they are a staff member. Please add this information to your SSO on-boarding form.

Institute's Metadata URL (Federation Metadata endpoint)

This can be retrieved by navigating back to the Overview page for the application, and selecting the endpoints option highlighted in the window below, this will open a side pane and you can find the desired endpoint for onboarding highlighted in red below.

 chrome_2019-06-14_17-52-45.png

Group Mappings

Group Mappings (Object IDs) allow us to determine the group membership for a user, and using that point them towards the correct year group within ClickView itself. To obtain these you'll need to navigate back to the Azure Active Directory section and then open the Groups tab.

This tab will list all of the groups it's a matter of finding the security groups that encompass an entire year level, and the groups that encompass all of the staff members that will be making use of ClickView.

Once these have been found it's a matter of selecting the security group and then opening the properties tab, within this tab you'll need to pull back the value highlighted below for each of the Year groups.


chrome_2019-06-14_17-58-59.png

UK Region

Application Registration

 

1. Sign in to Portal Azure via https://portal.azure.com and open Azure Active Directory then the App registrations section. Within this section, you'll need to select "+ New registration"
mceclip1.png

 

2. Opening the New Registration section will open the below window. Within this section you'll need to define a name for the application itself, and decide which account types will be able to use the connection. We recommend the following details:

Name: ClickView Online
Supported Account Types: Accounts in this organizational directory only

Redirect URI: https://saml-in2.clickview.co.uk/Shibboleth.sso/SAML2/POST

Once you've entered these details you'll need to click the Register button at the bottom of the section.

mceclip2.png

 

3. This will open the below application view. This contains all of the details and settings you'll use to customise the connection between Azure and ClickView. To complete the setup you'll need to browse to the Branding option highlighted below.

chrome_2019-06-14_17-31-12.png

Within this section you'll need to populate the following details:

HomePage URL: https://saml-in2.clickview.co.uk/Shibboleth.sso/CLICK5678

NOTE: The HomePage URL is https://saml-in2.clickview.co.uk, followed by '/Shibboleth.sso/' and then your ADM username.

e.g. https://saml-in2.clickview.co.uk/Shibboleth.sso/CLICK5678

If you do not know your ADM username, please contact ClickView Customer Support and they can provide this information to you.

4. Once you've completed Step 3, you'll need to move to the Authentication tab. As you'll be able to see it already contains our redirect URL that we specified when creating the registration.

Within this section all you'll need to do is update the Logout URL to be the following:

Logout URL: https://login.windows.net/common/oauth2/logout

mceclip3.png

 

5. Now we will need to move to the Expose an API section, and set the Application ID URI, which can be found in the highlighted section below. The Application ID URI will need to be set to the following, and will overwrite the default GUID displayed in this section initially:

Application ID URI: https://saml-in2.clickview.co.uk/Shibboleth

chrome_2019-06-14_17-44-50.png

6. Almost there, now we need to move to the Manifest section which can be accessed from the left nav, within the Manifest the following values will need to be updated to the following:

"appRoles": [],

"groupMembershipClaims": "SecurityGroup",


Once this has been done you'll need to Save the manifest itself, by clicking the save button at the top of the section.

Onboarding

We now move to the on-boarding part of the setup: retrieving the Federation Metadata endpoint, and the object IDs for each of the groups that will be used to determine which year level the user belongs to or if they are a staff member. Please add this information to your SSO on-boarding form.

Institute's Metadata URL (Federation Metadata endpoint)

This can be retrieved by navigating back to the Overview page for the application, and selecting the endpoints option highlighted in the window below, this will open a side pane and you can find the desired endpoint for onboarding highlighted in red below.

 chrome_2019-06-14_17-52-45.png

Group Mappings

Group Mappings (Object IDs) allow us to determine the group membership for a user, and using that point them towards the correct year group within ClickView itself. To obtain these you'll need to navigate back to the Azure Active Directory section and then open the Groups tab.

This tab will list all of the groups it's a matter of finding the security groups that encompass an entire year level, and the groups that encompass all of the staff members that will be making use of ClickView.

Once these have been found it's a matter of selecting the security group and then opening the properties tab, within this tab you'll need to pull back the value highlighted below for each of the Year groups.


chrome_2019-06-14_17-58-59.png

NZ Region

Application Registration

1. Sign in to Portal Azure via https://portal.azure.com and open the App Registration section by selecting the App registrations option (not the App registrations (Legacy) section. Within this section, you'll need to select "New Registration"

mceclip1.png

2. Opening the New Registration section will open the below section, within this section you'll need to define a name for the application itself, and decided which Account types will be able to use the connection. We recommend the following details:

Name: ClickView Online
Supported Account Types: Accounts in this organizational directory only

Redirect URI: https://shibboleth.clickview.co.nz/Shibboleth.sso/SAML2/POST

Once you've entered these details you'll need to click the Register button at the bottom of the section.

mceclip2.png

3. This will open the below application view, this contains all of the details and settings you'll make use of to customise the connection between Azure and ClickView. To complete the setup however you'll need to browse to the branding option highlighted below.

chrome_2019-06-14_17-31-12.png

Within this section you'll need to populate the following details:

HomePage URL: https://shibboleth.clickview.co.nz/Shibboleth.sso/CLICK5678

Once this has been done you'll need to select Save at the top of this section.

NOTE: The HomePage URL is https://shibboleth.clickview.co.nz, followed by '/Shibboleth.sso/' and then your ADM username.

e.g. https://https://shibboleth.clickview.co.nz/Shibboleth.sso/CLICK5678

If you do not know your ADM username, please contact ClickView Customer Support and they can provide this information to you.

4. Once you've completed Step 3, you'll need to move to the authentication tab, this will open the below section. As you'll be able to see it already contains our redirect URL that we specified when creating the registration.

Within this section all you'll need to do is update the Logout URL to be the following:

Logout URL: https://login.windows.net/common/oauth2/logout

mceclip3.png

5. Now we will need to move to the Expose an API section, and set the Application ID URI, which can be found in the highlighted section below. The Application ID URI will need to be set to the following, and will overwrite the default GUID displayed in this section initially:

Application ID URI: https://shibboleth.clickview.co.nz/Shibboleth

chrome_2019-06-14_17-44-50.png

6. Almost there, now we need to move to the Manifest section which can be accessed from the left nav, within the Manifest the following values will need to be updated to the following.

"appRoles": [],

"groupMembershipClaims": "SecurityGroup",


Once this has been done you'll need to save the manifest itself, by clicking the save button at the top of the section. We're now done!

Onboarding

We now move to the on-boarding part of the setup: retrieving the Federation Metadata endpoint, and the object IDs for each of the groups that will be used to determine which year level the user belongs to or if they are a staff member. Please add this information to your SSO on-boarding form.

Institute's Metadata URL (Federation Metadata endpoint)

This can be retrieved by navigating back to the Overview page for the application, and selecting the endpoints option highlighted in the window below, this will open a side pane and you can find the desired endpoint for onboarding highlighted in red below.

 chrome_2019-06-14_17-52-45.png

Group Mappings

Group Mappings (Object IDs) allow us to determine the group membership for a user, and using that point them towards the correct year group within ClickView itself. To obtain these you'll need to navigate back to the Azure Active Directory section and then open the Groups tab.

This tab will list all of the groups it's a matter of finding the security groups that encompass an entire year level, and the groups that encompass all of the staff members that will be making use of ClickView.

Once these have been found it's a matter of selecting the security group and then opening the properties tab, within this tab you'll need to pull back the value highlighted below for each of the Year groups.


chrome_2019-06-14_17-58-59.png