About – Single Sign-On

Using single sign-on

If your organization is set up to use single sign-on (SSO) for Scalgo Live, click "Log in using single sign-on" on the log in page, select your organization and click "Log in" to proceed to your organization's log in.  If this is the first time you use Scalgo Live, an account will be created for you after accepting the privacy policy.

Setting up single sign-on

Setting up single sign-on for Scalgo Live is typically done by your organization's IT department.  The remainder of this page is a technical description of how to set up single sign-on for Scalgo Live.

Scalgo Live uses the SAML2 standard for single sign-on (SSO).

We have two general ways of setting up SSO for organizations:

  • For educational institutions part of a national federation, metadata can be exchanged through the national federation or eduGAIN interfederation.
  • For other organizations metadata exchange is "manual".

Federation metadata exchange

If your educational institution is part of a national federation, we will get the metadata for your identity provider from there.  Specifically, we currently consume metadata from the following federations:

The Scalgo Live service provider metadata is exported to eduGAIN by the Danish federation (WAYF), and can be found under enitity ID "http://scalgo.com/sso/wayf", see e.g. refeds.org.

The procedure for enabling access to SCALGO Live differs by federation, please contact your local federation for more information on enabling access to eduGAIN-exported services, and let us know when we should list your institution, or you would like to test the set up (see also Testing below).

Manual metadata exchange

Our service provider metadata is located at: https://scalgo.com/py/sso/metadata

Organizations wishing to interact with our service provider for single sign-on must provide a metadata URL for their identity provider, please send this to your contact at Scalgo. Once we have this information we can enable single sign-on for the organization.

For organizations using SSO we recommend that we disable traditional email+password login for Scalgo Live.

Attributes

We recognize the following per-user attributes for login:

urn:oid:2.5.4.42 or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
and
urn:oid:2.5.4.4 or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
User's name; required either as given name + surname or full name.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
urn:oid:0.9.2342.19200300.100.1.3 or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressUser's e-mail address; required.
urn:oid:2.5.4.11 or
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department
Organizational unit; required for usage stats subdivision.

Persistent name identifiers are supported. If the name identifier format in assertions from your identity provider is persistent, these will take precedence when matching existing users.

Testing

When the setup is completed, visit https://scalgo.com/py/sso/test to get a report indicating whether the setup was successful. Here you can also see which attribute values are received by us and how they are used. This only checks the single sign-on process and does not create a Scalgo Live account.

To create a Scalgo Live account and log in, go to https://scalgo.com/login.

Setting up Entra ID (Azure AD)

Create a new Enterprise Application in Entra ID (Azure AD) and go to the Single sign-on section. There you can upload the Scalgo metadata file, creating a ”Basic SAML Configuration”.

Under Attributes & Claims, some defaults may already be filled in. In particular, "name" may be set to "user.userprincipalname"; either delete this claim (in which case Scalgo Live will concatenate givenname and surname), or set it to "user.displayname". The result should look something like this:

Finally, please send the metadata URL (App Federation Metadata Url) to Scalgo:

Note that users cannot access Scalgo Live from the app button provided by Entra ID, only by initiating login on https://scalgo.com/.  If you would like the app button to work, ask us for the Sign on URL you should put under Basic SAML Configuration (it will be of the form https://scalgo.com/py/sso/request?provider=PROVIDER-ID).

Questions

If you have questions, please contact Scalgo Live Support.