Set Up SAML SSO

Active districts, standalone schools, and schools within an inactive district can configure the Security Assertion Markup Language (SAML) connection for staff, students, parents, and guardians.

• Ensure that staff and students cannot change their usernames or passwords before configuring SAML for staff and students if you are using email as the Federation Type.
• When grade 12 students transition to alumni, they can no longer use SAML to log in to Naviance Student. Instead, alumni students will log in natively with a username and password.

Follow the steps on this page to set up SAML single sign-on (SSO) if you are not using PowerSchool Student Information System (SIS).

Configure SAML

Schools within an active Naviance district account cannot configure a SAML connection. The SAML connection can only be configured at the district level.

1. Navigate to the gear icon and select Setup.
2. Select Single Sign-On (SSO) Options.
3. Click Configure for SAML SSO.
4. Click Add SAML Connection.

Step 1 Getting Started

1. Enter a Display Name for your SAML Connection. The display name must be one of the following:
   • Naviance PS SIS - Student
   • Naviance PS SIS - Parent
   • Naviance PS SIS - Staff

2. Select a SAML connection type from the list according to the Identity Provider (IdP) being used.

   

   If you are setting up a connection for parents and guardians, you must select Other even if GSuite is your IdP.
3. Select a user type for this connection. You can create a connection for one user type at a time.
4. Click Next.

Step 2 Copy Naviance Service Provider Information

GSuite

1. Review the overview information.
2. Copy the ACS URL and Entity ID and provide them to GSuite. Review the GSuite instructions on SAML if you need more information.
3. Download the Naviance Logo Icon and provide it to GSuite for use in the login process.
4. After you have given the information to GSuite, click Next.

Other

1. Review the information and confirm the necessary fields are populated in your IdP
2. Copy the ACS URL and Entity ID and provide them to your IdP provider. Refer to your IdP provider for more instructions on its SAML connection process.
3. Download the Naviance Logo Icon and provide it to your IdP for use on their login page.
4. From Optional Configuration, enter an SP (Service Provider) Logout URL or select Enable a Signed Authn Request.
   • • SP Logout URL is the page to which staff or students should be redirected if they sign out of the IdP.
     • Signed Authn Request adds another layer of security to your SAML connection. When selected, it requires that our information is sent back and matches the IdP after Naviance receives the authentication request.
5. Click Next.

Step 3 Enter IdP Information

To complete this step, you will need:

• Email domains
• An x509 Certificate from your IdP

GSuite

1. Enter all email domains connected to the user type selected for this connection in Tenant Domain. Enter multiple domains separated by commas.
2. Enter the SSO URL from your IdP.
3. Upload the x509 Certificate that you downloaded from your IdP.
4. Click Create Connection. Your SAML connection is live.

Other

1. For students or staff, enter all email domains connected to the user type selected for this connection in Tenant Domain, even if using a non-email Federation Type. Enter multiple domains separated by commas.

   

   You will not complete this step if setting up a parent connection.

2. Enter the SSO URL that you retrieved from your IdP.

   

   If using the PowerSchool Student Information System (SIS) as the IdP, enter https://{sis-domain}:443/powerschool-samlsso/profile/SAML2/Redirect/SSO, replacing the {sis-url} with your PowerSchool SIS domain.

3. Upload the x509 Certificate that you downloaded from your IdP.

4. From Advanced Configuration, define your Federation Type if you are using a Federated ID, not email.

   1. Enter an IdP Logout URL where the user will be redirected if they are logged out of your IdP. This sets up a chained logout scenario so a user who logs out of Naviance will also be logged out of your IdP.

   2. Select an option from Choose Federation Type.

      • Email as NameID

        • Select this option if you are using Email as your SAML connection type. Users are identified by their email addresses, and your SAML IdP is configured to set the NameID of the Subject section with the email address.

      • Non-email as NameID

        • Select this option if you are using a custom ID to uniquely identify your users, and your SAML IdP is configured to set the NameID of the Subject section with the custom ID.

      • Non-email as NavFederationID

        • Select this option if you are using a custom ID to identify your users, and your SAML IdP is configured to set this ID value in a custom attribute that you have named NavFederationID in the AttributeStatement section. The NavFederationID Attribute field in your IdP will be mapped to the FederationID field in Naviance.

5. Click Create Connection. The SAML connection is live.
   

   

   If using a PowerSchool SIS as the IdP, you must create the plugin file and install the SAML Plugin in your SIS before logging in to Naviance and using SAML SSO.

Locate Metadata for Your IdP

Some IdPs such as ClassLink need metadata from Naviance to complete the SAML connection to Naviance. The Metadata XML file is available for the Other connection type.

After you have completed the SAML setup process, find the Metadata file on the SAML dashboard to download and provide to your IdP provider.

Test the Connection

You cannot test a SAML Connection in Naviance. As soon as you make the connection, it is live.

Naviance suggests completing the connection during non-peak times such as after hours on a Friday, so you can remove the connection if it did not work as expected. Troubleshoot the issue and then complete the connection again.

Log In using SAML SSO

Students and Staff

Students and staff can log in to Naviance using SAML in one of two ways:

1. Via your IdP's log-in option. For example, with GSuite, staff or students click the Naviance widget from the Google waffle and are immediately logged in.
2. Via the Naviance or Naviance Student native log-in page for your school. Naviance recognizes the staff or student as a SAML user and displays the corresponding log-in pages. Staff or students may be redirected to the Naviance native log-in page when logging in on a personal device or if Naviance times out.

If using a non-email federated ID SAML Connection for staff, staff will need to follow this template when entering an email address on the Naviance native staff login page, if they ever need to log in from this location: federatedID@tenantdomain.com (i.e.; 123456@school.edu.)

Parents

Parents can log in to Naviance using SAML in one of two ways:

1. Via a school or district portal.
2. Via the Naviance Student native log-in page for your school. From the log-in page, click Parent or Guardian and then click Continue with Single Sign On.

Manage SAML Connections

1. Navigate to Settings and select Setup.
2. Select Single Sign-In (SSO) Options.
3. From the SAML SSO section, select Configure.
4. From the SAML Connections page, you can:
   • Click the connection name to view the details of the connection.
     • Select the Bookmark/Icon URL as an external link for schools or districts using Clever to manage data but not SSO or ClassLink.
     • Select the AppSwitcher URL if you are a SAML user with two or more PowerSchool products.
   • Click Delete to remove the connection and revert the user type to a Naviance ID login.
   • Click Add SAML Connection to add more connections.

Update the x509 Certificate

When an x 509 certificate is within 30 days of expiring, the expiration date displays a warning. You must obtain an updated certificate from your IdP and create a new connection in Naviance. When creating the new connection, the connection credentials to Naviance will change slightly, and you must update the IdP inputs.

1. Navigate to Settings and select Setup.
2. Select Single Sign-In (SSO) Options.
3. Click Delete to remove the expired connection.
4. Follow the steps to create a new connection.
5. From Step 3, add the updated certificate.

Add New User Accounts with SAML SSO

Continue using your selected method to create new staff or student user accounts in Naviance.

When creating new user accounts:

• Ensure a new user will be recognized during the authentication process by verifying the email information in their Naviance user account is the same as their email in the IdP.
• Assign a Naviance Student username when importing or adding student users to ensure the student's Naviance account is created correctly. The student will not enter the username when logging in.

Naviance does not auto-create user accounts when you add new staff or student users to your SIS.