Go to <Administration> | <Integration> | <SAML> for the settings of the 'SSO provider'.
How to define the settings of the WebUntis Identity Provider / SAML
- Define the attribute containing the user name used for WebUntis IDP. The selected attribute can be compared to user name or external user name in WebUntis.
- Please contact your WebUntis team regarding the attribute name or url ID you selected
- Transfer your IDP's meta data to your WebUntis team (Important: WebUntis only provides officially signed SSL certificates)
- Download WebUntis' meta data (https://name.webuntis.com/WebUntis/saml/metadata), and import them to your IDP.
- Your WebUntis team will import your meta data to your WebUntis SAML provider. Importing new meta data can take up to 24 hours.
- Enter your SSO provider in WebUntis under<Administration> | <Integration> | <SAML>, and save the settings.
Test your IDP / SSO provider
When you activate your SSO provider under <Administration> | <Integration> | <SAML>, the "SSO log in" button will be activated in the logged out area.
- Try to register via your SSO provider by clicking on the log in button.
- If log in is not successful, please contact our WebUntis support team to receive more information. When the log in was successful, continue with configuring SAML integration. in WebUntis.
Identification and automatic creation of a user
If you do not want dynamic creation of users, you can deactivate this feature by checking the "Create local user after successful authorisation" box. When you deactivate this option, only users can register who already have a user account in WebUntis.
The user role (teacher or student) can be defined by a comparison with a user attribute.
Comparison with an attribute
In this case, the entry in the "Person role" field identifies the role, e.g. The name of the attribute, which, for instance holds the role description, e.g. 'urn: oid: 126.96.36.199.5.6.1188.8.131.52.1', must be entered in the "SAML ID attribute" field. The user is then identified as teacher, when "teacher" is found as a description in the "urn: oid: 184.108.40.206.5.6.1220.127.116.11.1" attribute.
Identification of the role means that default rights can be defined. This is the reason why you need user groups, e.g. When attributes are compared to each other, the user group name must be identical with the entries in the "Person role" fields.
If no identical user group is found in WebUntis, the default user group is used.
Additional information is needed in order to identify the person. This information can be different for teachers and for students. Identification means that the system searches for an appropriate timetable element (teacher or student) for the user.
There are several possibilities to identify a person:
Single attribute: This method usually is the most effective one, since no comparison of names is necessary. However, this is not possible in all cases. This method compares an unambiguous value of a user's WebUntis field with the personal attribute in SAML.
Possible fields in WebUntis are:
- id - user name in WebUntis
- name - short name
- longName - surname
- Text - text field
- externKey - external ID
One of these fields is entered into hte "Element data ID field" field. The name of the attribute in LDAP is entered into the "SAML ID attribute" field. Example: The short name of a WebUntis teacher is saved in SAML under the attribute: "urn: oid: 18.104.22.168". "urn:oid:22.214.171.124" is therefore entered into the "SAML ID attribute" field and "name" in the "Element data ID field" field.
Attribute for last name and first name
This method uses the name for identification. Surname and first name must exist in different attribute in SAML. Both attributes are entered in the "SAML ID attribute", separated by a comma - first the attribute for the surname, and then the attribute for the first name.