Automatically Sign in From Your Own Website
Use Get Connected's Single Sign-on (SSO) feature to sign in to your Get Connected site from your school or business website. Our SSO confirms that a user has been authenticated in your own system before allowing them to access Get Connected as an authenticated user. This means the user is allowed to access your Get Connected system without having to use independent login credentials.
Note: This feature should only be implemented by those who work with IT support. Contact email@example.com if you have any questions about whether this solution is right for you.
This article focuses on using LDAP to create Single Sign-on. While JWT is the default method for SSO, Galaxy Digital has conducted a number of LDAP integrations. For help on Shibboleth integrations, click here to get the documentation.
Described below is a overview of how SSO works using this method:
- A user navigates to the LDAP form on your connect site.
- The user enters their credentials.
- The data are packaged and encrypted and sent to the client's system to be decrypted.
- The client's system determines if the use should be logged in or not.
- If the login attempt fails, an error is passed to us, and the process stops.
- If the user is logged in successfully, the system passes a success message to us, and the process continues.
- We log the user in.
- If they have a profile, we log them in to their existing profile.
- If they do not have a profile, we create a profile, log them into it, and ask them to provide information not sent in the payload.
The following steps outline what needs to be completed by both Galaxy Digital and your IT staff in order to setup a Single Sign On Integration with LDAP.
Galaxy Digital will create a CSR so the client can purchase and send to us an SSL certificate. This process begins by having the client fill out the CSR request form. Galaxy staff will then send it to the client so that they can create the SSL certificate and send the certificate back for installation.
If a custom domain is being used, that must be setup before an SSL can be generated and will result in additional cost. Please contact firstname.lastname@example.org to inquire about these costs. If a custom domain is not being used, this step can be skipped, and Galaxy Digital will use its own wildcard certificate instead.
Note: If your site is using a vanity domain (i.e. any domain other than the one created by Galaxy Digital when your site is created), there is a cost incurred by the client to set up the integration. Please reach out to email@example.com to inquire about this integration and the cost involved.
The client sends us their LDAP server IP address and their connection string (sometimes called DN information).
Once we receive the SSL certificate, we add the load balancer and install the client’s SSL certificate for their selected domain. This step can be skipped if the client is not using a vanity domain.
Now that SSL is installed and we have their address and string, we install LDAP on our side.
The client will add the following IP addresses to their firewall to allow communication from our servers:
The connection is tested and troubleshooted as necessary.
Note: Providing test credentials to Galaxy staff can greatly expedite this process. Please consider creating a set of credentials with log in permission or giving access to an existing test account.
Galaxy staff notify the client that the process is compete and can be used by anyone who has permission to log into their system. Occasionally small, limited modifications to the process will be made at this point, such as changing the default text in the "Email field, where Galaxy is able.