Classlink SAML 2.0 SSO Setup – Frontline Inventory & Help Desk Management

You can set up SAML 2.0 single sign-on (SSO) in ClassLink for Frontline Asset Management and Asset Management Mobile. This article provides the required SSO setup checklist, ClassLink configuration details, SAML endpoints, roles and groups, user account requirements, claims, metadata, and information districts must send to their Frontline Implementation Project Manager.

Checklist

From Frontline

Frontline has setup or created the following items to kick off SSO setup.

No.	Item	Value
1.	Relying Party Identifier (Assertion Consumer) URL for Desktop	https://HayesURL/TIPIDCore/
2.	Relying Party Identifier (Assertion Consumer) URL for Mobile	https://HayesURL/TIPWebITMobile-Logon/
3.	SAML 2.0 Endpoint for Desktop	https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx
4.	SAML 2.0 Endpoint for Mobile	https://HayesURL/TIPWebITMobile-Logon/ SAML/SAMLConsumer
5.	Your school’s primary email domain	DistrictDomainName

From DistrictName

The following items must be completed and sent to Frontline for the SSO setup to be successful.

No.	Item
1.	Create user groups in ClassLink
2.	Create a Frontline user in your ClassLink
3.	Send the Frontline user credentials to your Frontline Implementation Project Manager
4.	Add Relying party identifiers (Assertion Consumers) for both desktop & mobile
5.	Add SAML 2.0 Endpoints for both desktop & mobile
6.	Ensure the correct claim values are setup in ClassLink
7.	Setup a Claims Rule for the Relying Party
8.	Generate the ClassLink Metadata file or URL
9.	Generate the entity ID used by ClassLink
10.	Generate the certificate used to sign SAML 2.0
11.	Send the ClassLink Metadata file or URL to your Implementation Project Manager

SAML 2.0 SSO Setup Overview

When we ask our customers to set up an SSO endpoint in their ClassLink using the SAML 2.0 protocol for a Frontline application, we send them the application Identifier (Entity ID), the Reply URL (Assertion Consumer Service), the Metadata XML, the roles to be created in their ClassLink, and the list of Attributes and Claims needed by the Frontline Asset Management application.

In return, after setting up the SSO endpoint, the customer sends us the ClassLink Enterprise Application SAML Login URL, the ClassLink SAML Metadata URL or XML, the SAML Certificate and the X509/Base64 certificate thumbprint. Additionally, the customer will create, set up, and send Frontline the test/support account (username/domain and password) in their ClassLink.

Complete and Send to Frontline

These must be filled in and sent to your Frontline Implementation Project Manager.

Asset Management

ClassLink SAML Login URL for Asset Management
ClassLink SAML Metadata URL or XML for Asset Management
ClassLink SAML X509/Base64 Certificate for Asset Management
ClassLink SAML Certificate Thumbprint for Asset Management

Asset Management Mobile

ClassLink SAML Login URL for Asset Management Mobile
ClassLink SAML Metadata URL or XML for Asset Management Mobile
ClassLink SAML X509/Base64 Certificate for Asset Management Mobile
ClassLink SAML Certificate Thumbprint for Asset Management Mobile

Account Information

Frontline’s account username in your ClassLink for Asset Management and Asset Management Mobile
Frontline’s account password in your ClassLink for Asset Management and Asset Management Mobile

Set Up Roles or Groups

Frontline Asset Management products must have the following roles (group names) setup in the ClassLink, and those group names must be sent over as plain text in the “role” attribute/claim the SAML response to the Asset Management application.

Required Group Name	Description
TIPWEBIT_ADMINVIEW_ADMIN	An administrative user with admin-level permissions
TIPWEBIT_ADMINVIEW_USER	An administrative user. They have similar rights as the admin user, except for a few application maintenance features.
TIPWEBIT_SITEVIEW_ADMIN	A site-level administrator who only has access to their site data
TIPWEBIT_SITEVIEW_USER	A site user who can only work with their site data
TIPWEBIT_LOOKUPVIEW_USER	A view that is only used to look up tags existing in Asset Management

Create an Account for Frontline Asset Management

Create an SSO account for Frontline Asset Management support users in your ClassLink. Create the following user in your ClassLink for Frontline Support Staff with a password that does not expire.

Field	Value
Username	FrontlineSupport
Given Name	Support
Surname	Frontline
Password	(Set a password that does not expire)
Email address to account	FrontlineSupport@DistrictDomainName
Phone	800-495-5993
Role	TIPWEBIT_ADMINVIEW_ADMIN

Note: All the above fields are mandatory. If these are not populated or created in the account, Help Desk Management will not work.

Add Permissions to ClassLink Account

Add this new account to the ClassLink “TIPWEBIT_ADMINVIEW_ADMIN” group.
Ensure that this account has access to view the ClassLink SAML SSO Asset Management app that you created.

Set Up Asset Management Endpoints

Web/Browser

Set up a new, separate enterprise application endpoint in your ClassLink to allow Asset Management on the web/browser to authenticate the user. Here is what you will need:

Application Identifier (Entity ID): https://HayesURL/TIPIDCore/
Reply URL (Assertion Consumer Service URL): https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx

Metadata XML:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID=" https://HayesURL/TIPIDCore/"><md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx" index="1"> </md:AssertionConsumerService></md:SPSSODescriptor></md:EntityDescriptor>

Mobile

Set up a new, separate endpoint in your SSO IdP to allow Asset Management Mobile to authenticate the user. Here is what you will need:

Application Identifier (Entity ID): https://HayesURL//TIPWebITMobile-Logon/
Reply URL (Assertion Consumer Service URL): https://HayesURL/TIPWebITMobile-Logon/SAML/SAMLConsumer

Metadata XML:

<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://HayesURL/TIPWebITMobile-Logon/"><md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" https://HayesURL/TIPWebITMobile-Logon/SAML/SAMLConsumer" index="1" ></md:AssertionConsumerService></md:SPSSODescriptor></md:EntityDescriptor>

Common Settings to Both Web and Mobile

List of Attributes and Claims

<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Given Name"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Surname"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="name"/> => UserName
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="email"/>
<md:RequestedAttribute isRequired="false" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Phone"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Role"/>

Metadata Overrides

NameId Format = emailAddress
NameId Value = Email

Note: The “Role” attribute must carry/send the user’s Role or Group name that you set up earlier. Your IdP cannot send or insert any other value in this attribute or field, such as Group ID or GUID or UID.

Sample SAML Request and Response

Request SAML

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id" Version="2.0" IssueInstant="datetime" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx" Destination="https://__your_SSO_Login_URL__">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://HayesURL/TIPIDCore/</saml:Issuer>
</samlp:AuthnRequest>

Response SAML

The SSO IdP must send back a SAML response to Asset Management. It will look similar to the following:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="id" Version="2.0" IssueInstant="datetime" Destination="https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx" InResponseTo="id">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/90e0c2f4-c0eb-4f28-b0f5-8d2c578af4c8/</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="id" IssueInstant="datetime" Version="2.0">
        <Issuer>https://sts.windows.net/90e0c2f4-c0eb-4f28-b0f5-8d2c578af4c8/</Issuer>
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#_6cf241dc-38c0-4881-9b8b-cd751eda6701">
    <Transforms>
        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
    <DigestValue>...</DigestValue>
</Reference>
            </SignedInfo>
            <SignatureValue>...</SignatureValue>
            <KeyInfo>
                        <X509Data>
                            <X509Certificate>...</X509Certificate>
                        </X509Data>
            </KeyInfo>
        </Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">tipweb_it@DistrictDomainName</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="id" NotOnOrAfter="datetime"
         Recipient="https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="datetime" NotOnOrAfter="datetime">
            <AudienceRestriction>
<Audience>https://HayesURL/TIPIDCore/</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>...
            <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>Hayes Support</AttributeValue>
            </Attribute>...
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>Hayes</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>Support</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>tipweb_it@DistrictDomainName</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>tipweb_it@DistrictDomainName</AttributeValue>
            </Attribute>
            <Attribute Name="role">
<AttributeValue>TIPWEBIT_ADMINVIEW_ADMIN</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="datetime" SessionIndex="id">
            <AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>

</samlp:Response>

Setting up ClassLink SAML SSO

To integrate ClassLink SAML SSO with Frontline Asset Management, you must have a valid ClassLink account. If you do not have a ClassLink account, you can review ClassLink Services.

You can obtain further support for setting up ClassLink by watching the "Understanding Key ClassLink SSO Concepts" video.

The following steps allow Frontline to configure Asset Management to SSO in your ClassLink instance. They are described in detail in the following sections.

Create ClassLink groups or roles for Asset Management and Mobile SSO.
Create a ClassLink account for Frontline Asset Management support users.
Add a ClassLink SAML SSO app for each product Asset Management and Mobile.
Assign the users and groups to the apps.
Generate the apps’ login URLs, certificates, and thumbprints.
Send the ClassLink account and credentials, as well as the IdP details, to your Implementation Project Manager.

Steps

Navigate to https://launchpad.ClassLink.com/login. Log in to your districts’s ClassLink Launchpad page: https://launchpad.ClassLink.com/<<yourdistrict>>
- Sign in using ClassLink administrator credentials for your district.
In your LaunchPad, open ClassLink Management Console.
In the new tab that opens, click Single Sign On, which unfurls a menu of options. Select SAML Console. A new "ClassLink SAML Console" tab opens.
Click ADD NEW in the top menu. The "Add New Service Provider" form will appear.
Enter Frontline Asset Management as the "NAME."

Below the "METADATA URL" text box, click the metadata text link. The text box’s label will change to "METADATA."
step 6 - metadata url text.png

Paste the following into the METADATA text box:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     entityID="https://HayesURL/TIPIDCore/">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx"
                                     index="1" ></md:AssertionConsumerService>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

Add additional data
- Login URL: Your district’s ClassLink name/ID
- Use Custom Certificate for Signing: Do not check this.
Select attributes to add:
1. Given Name: Add the ClassLink attribute "Given Name" from the dropdown. No transformations. Name the field givenname (all lowercase, no spaces).
2. Family Name: Add the ClassLink attribute "Family Name" from the dropdown. No transformations. Name the field surname (all lowercase, no spaces).
3. Email: Add the ClassLink attribute "Email" from the dropdown. No transformations. Do not change the field name (leave it as "email"; all lowercase, no spaces).
4. Phone: Add the ClassLink attribute "Phone Number" from the dropdown. No transformations. Do not change the field name (leave it as "phone"; all lowercase, no spaces).
5. Role: Add the ClassLink attribute "Role" from the dropdown. No transformations. Do not change the field name (leave it as "role"; all lowercase, no spaces).
Scroll down to the "Metadata Overrides" section. In the "SELECT FIELDS TO OVERRIDE" dropdown menu, select NameId Format. A new "NameId Format" dropdown menu will appear with a default value of "emailAddress."
Additionally, in the "SELECT FIELDS TO OVERRIDE" dropdown menu, select NameId Value. A new "NameId Value" dropdown menu will appear.
In the "NameId Value" dropdown menu, select Email near the bottom of the dropdown menu list.
Click Add to submit the form. You will be redirected to the "ClassLink SAML Console" page with a list of SAML Connectors. You should now see your Frontline Asset Management SAML configuration in the list.
Click the caret (arrow) next to the SAML Connector called "Frontline Asset Management" that you just created.
Click Copy IDP Initiate Login URL in the popup that appears. This will copy an important link to your clipboard. Paste and save this IDP Initiate Login URL somewhere, as you will need it in a later step.
Navigate to https://launchpad.ClassLink.com/admin/#assignapp.
Click the Add button. The "Add Application" window will appear.
Enter Frontline Asset Management as the "Application Name."
Select General in the "Category" dropdown menu.
Toggle "Single Sign-On App" to Yes.
Select SAML in the "Type" dropdown menu.
Paste the IDP Initiate Login URL from the earlier step into the Web Address text box.
Click Save to submit the form.
Now that the app is created, ensure the app is assigned to all users who will access Asset Management from ClassLink. See this ClassLink guide for instructions on assigning applications to users.
Navigate to https://myapps.ClassLink.com/home.
Click the new Frontline Asset Management application to login into Asset Management.
Send the IDP Initiate Login URL to your Frontline Implementation Project Manager so Frontline can complete the integration. The URL will look similar to the following: https://idp.ClassLink.com/sso/select/YUswNmdOZFd6NXYZ

FAQ

Should I name the URLs, emails, file names, projects, and Azure settings exactly as documented here?

Yes. Please do not change them as Asset Management depends on the specific names that are requested here.

Who should all this information be sent to once it is set up?

These must be filled in and sent to Frontline Implementation Project Manager.

Are there any special permissions that I need to give Asset Management or its user account?

No. All permissions are default ones, and the user account that you create will be for a regular user (not a technician or an administrator).

Can I use any other protocol or version instead of SAML 2.0?

No; at this stage, we do not support any other protocol except SAML 2.0.