SAML SSO - I'm using another system
Before you read these instructions, make sure you've read our guide: How can I setup SSO between my school and Grok?
This document provides a general guide for setting up SAML2 SSO with identity providers other than Azure AD. If you are using Azure AD, please access our specialized guide by selecting "I'm using Azure AD" in the previous FAQ for tailored instructions.
Guide for setting up SAML2 SSO: using another identity provider
As described in our metadata, here's the SAML attributes we've setup to receive information from SAML2 identity providers:
| SAML2 attribute name (case sensitive) | Description | Example value |
| gn (required) |
The given name (first name) of the user. | Jan |
| sn (required) |
The surname (last name) of the user. | Doe |
| cn | The common name (full name) of the user. | Janette Doe |
| mail (required) |
The email address of the user. This is assumed to be unique over time. | janette.doe@student.example.com |
| uid | The username of the user within your Identity Provider. This is assumed to be unique over time. This attribute is mostly applicable to universities. | janette.doe |
| guid (recommended) |
The transparent primary key of the user within your Identity Provider. This is assumed to never change over time and is guaranteed to be unique. | af6697fd-f2d1-4e52-aee7-aa809fbb782e |
| group | A multi-valued attribute that allows Grok to accept incoming groups. The SSO team can configure SSO to extract information from and/or use the group names to map to other attributes. | "8486099b-a236-44dc-a567-0e1da1964c50" "Class of 2029" "Teachers" |
| yearLevel (required) |
For students, their current scholastic year as a number between 0 and 13, inclusive. | 8 |
| graduationYear | For students, the calendar year that will be their final year of schooling (their graduation year) | 2029 |
| eduPersonAffiliation (recommended) | Either "student" or "staff", informing Grok whether the incoming user is a "Student" or "Teacher" | student |
While it's not necessary to provide all the above attributes, we do require the following essential information for each user to enable authorization:
- The user's persistent unique User ID (via
guidor alternatively using the SAML2'sNameIDsubject with a name format identifier ofurn:oasis:names:tc:SAML:2.0:nameid-format:persistent) - The user's first name (via
gn) - The user's last name (via
sn) - The user's email address (via
mail) - Whether or not a user is a student or a teacher/staff (via
groupor alternativelyeduPersonAffiliation) - If a user is a student, what grade/year level is that student? (via
yearLevelorgraduationYear) If this information is not provided, the user's grade level will default to the maximum value for a particular country
Additionally we will also need the following information
Although alternative attributes can technically be used to meet these objectives, we strongly recommend adhering to the specified attributes listed above. Deviating from these recommendations may require additional development efforts on our part, potentially leading to delays in your SSO integration.
If you're not sure where to start, populating the 'recommended' attributes is what we'd prefer, and will guarantee we have sufficient information to allow both students and teachers to be correctly configured.
Contact our SSO team at support@groklearning.com for further instructions.