SAML SSO - I'm using another system

Before you read these instructions, make sure you've read our guide: How can I setup SSO between my school and Grok?

The below information is designed to help you set up SAML2 SSO if your identity system is something other than Azure AD. If you are using Azure AD, go back to the FAQ above and select "I'm using Azure AD" instead. 

Guide for setting up SAML2 SSO: using another identity provider

As described in our metadata, here's the SAML attributes we're setup to receive from our other many other SAML2 identity providers:

SAML2 attribute name Description Example value
gn The given name (first name) of the user. Jan
sn The surname (last name) of the user. Doe
cn The common name (full name) of the user. Janette Doe
mail The email address of the user. This is assumed to be unique over time.
uid The username of the user within your Identity Provider. This is assumed to be unique over time. This attribute is mostly applicable to universities. janette.doe
guid The transparent primary key of the user within your Identity Provider. This is assumed to never change over time and is guaranteed to be unique. af6697fd-f2d1-4e52-aee7-aa809fbb782e
group A multi-valued attribute that allows Grok to accept incoming groups. The SSO team can configure SSO to extract information from and/or use the group names to map to other attributes. "8486099b-a236-44dc-a567-0e1da1964c50" 
"Class of 2029" 
yearLevel For students, their current scholastic year as a number between 0 and 13, inclusive. 8
graduationYear For students, the calendar year that will be their final year of schooling (their graduation year) 2029
eduPersonAffiliation Either "student" or "staff", informing Grok whether the incoming user is a "Student" or "Teacher" student

You will need to setup your SAML configuration to provide a subset of these values. Please contact our SSO team at for further instructions.

Still need help? Contact Us Contact Us