How can I setup SSO between my school and Grok?
Grok Learning supports SAML2 for SSO. Most mainstream Identity Providers support SAML2. The largest providers are Azure AD (Microsoft), ADFS (Microsoft), and G Suite (Google). If your institution has a way to provide SAML2 access, our SSO team can help you setup SSO to Grok.
The following documentation is designed for system/network/IAM administrators.
If you have any questions about any of the following, please contact our SSO team at firstname.lastname@example.org.
The process for setting up SSO is as follows:
- Create the SAML2 application/integration/config in your Identity Provider
- Contact the Grok Learning SSO team at email@example.com, providing the appropriate information (see below)
- Test the integration on staging
- Get approved by the Grok Learning SSO team
- After it's been deployed to production, test it again on production as a sanity check.
When setting up SSO to Grok, you will first be asked to setup a SSO connection to the Grok Learning staging environment, so that the Grok SSO team can check that your integration is working as expected. Once they've given you the green light, you will then be asked to add another integration to the Grok Learning production environment. You won't be able to access production until the SSO team has approved the integration in staging.
Minimum requirements for SAML2 SSO
In order for your institution to be able to do SAML2 SSO with Grok, your Identity system must fulfil the following requirements:
- Each user must have a name and an email address.
- You must have a way to distinguish between students and teachers. This could be based on group membership, based on email domain, or something else.
- You must have a way to identify the scholastic year of students, that's consistent across time (e.g. this particular group ID will always indicate that the incoming student is in grade 10).
If these things are true, and you have a way to provide SAML2 SSO, then you should be right to setup SSO to Grok.
Setting up SAML2 SSO
To setup the integration in your Identity Provider, you will need our SAML2 metadata XML. There is different XML for staging versus production. Our SAML2 metadata can be found at the following locations:
- Staging: https://dev.groklearning.com/sso/saml2/metadata (if you're using ADFS, use https://dev.groklearning.com/sso/saml2/metadata?download=true instead)
- Production: https://groklearning.com/sso/saml2/metadata (if you're using ADFS, use https://groklearning.com/sso/saml2/metadata?download=true instead)
Please follow one of the following guides for setting up SAML2 SSO.
Note that these guides are aimed at singular school integrations. If you are providing SSO for more than a single school (e.g. you're a state Department of Education), please contact our SSO team to work discuss how to send through school identifiers for your jurisdiction.
Guides for setting up SAML2 SSO
- I'm using Azure AD (Microsoft, Cloud)
- I'm using ADFS (Microsoft, On-prem): we don't currently have a specific guide for ADFS. Please see "I'm using something else" below.
- I'm using G Suite (Google, Cloud): we don't currently have a specific guide for G Suite. Please see "I'm using something else" below.
- I'm using something else