ClassLink

• Setting-up Azure Entra with Classlink
• Classlink LTI v1.3 (OIDC) SSO Information

Setting-up Azure Entra with Classlink

Notes

This is an all or none type of configuration. Once enabled all users of the domain will be redirected to Launchpad for authentication in all Microsoft applications. Users previously Authenticated to Office 365/Entra ID (Azure AD) may need to reauthenticate their desktop applications. Office365 Administrator accounts will not be affected by this workflow.

Prerequisites

• Authenticate to LaunchPad with AD (technically could be Google as well but unlikely)
  • • District’s Azure user profile must contain an ImmutableI   
    • If the district uses Azure AD Connect, it’s handled  
    • If the district enters users manually, it’s handled  
    • If the district uses OneSync for Azure, it can be handled in the configuration
• Add Verified Domain to Entra ID (Azure AD)
  •  Do not make it primary.
• Install MSOnline PowerShell module 

  Install-Module MSOnline

• Install Azure Active Directory Connect and configure it – Do not federate via this method.
•  Active Directory should be connected in launchpad under settings > domain gear icon
•  Active Directory Groups should be imported into launchpad

Step 1

1.       In the Classlink tenant SAML Console, Create a new SAML configuration by copying existing and selecting “A New SAML App (template)”

2.       Configure the following options.

• Metadata URL
  •         https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationme tadata.xml
• Loginurl with custom login, e.g. https://launchpad.classlink.com/<customurl>
•  Attribute Mapping
• ▪          Select “Custom Attribute”
  • • Change name of the custom attribute to “IDPEmail”
    •  Add {email} in the data field
• MetaOverrides
  •    Logout Service URL (POST)
    • • •   https://login.microsoftonline.com/common/oauth2/logout
  • NamedID Format
    • • •  Persistent
  • NameID Custom Value
    • • • {ldapguid:hexbase64}
•  Save or Update

Step 2

•  Copy the metadata URL and modify the PowerShell Script below
•  Use this PowerShell Script, change the file extension to “.ps1” after downloading - You may need to unblock the file and change your execution policy on the server
  •  Google Drive

<#
.SYNOPSIS
    Federate Microsoft Entra ID (Azure AD/Microsoft Online Services) to ClassLink for IdP Services.

    Change the <GUID> in the $idpMetadataUrl to be the GUID from your SAML console App.
    Change $DomainName to match your domain name that is going to be Federated
    Change the script extension to ".ps1"

    *NOTE: you may need to set the PowerShell Execution Policy to remote signed or bypass temporarily.

#>

Install-Module -Name MSOnline
Import-Module MSOnline

$idpMetadataUrl = "https://idp.classlink.com/sso/metadata/<GUID>"

$DomainName = "<your domain name>"
$metadataxml = [Xml](Invoke-WebRequest -Uri $idpMetadataUrl -ContentType "application/xml").content

$cert = -join $metadataxml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
$issuerUri = $metadataxml.EntityDescriptor.entityID
$logOnUri = $metadataxml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
$LogOffUri = $metadataxml.EntityDescriptor.IDPSSODescriptor.SingleLogoutService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
$brand = "ClassLink Identity"
Connect-MsolService
$DomainAuthParams = @{
    DomainName = $DomainName
    Authentication = "Federated"
    IssuerUri = $issuerUri
    FederationBrandName = $brand
    ActiveLogOnUri = $logOnUri
    PassiveLogOnUri = $logOnUri
    LogOffUri = $LogOffUri
    SigningCertificate = $cert
    PreferredAuthenticationProtocol = "SAMLP"
}

Set-MsolDomainAuthentication @DomainAuthParams

 If you receive an error regarding scripts being disabled Open an elevated PowerShell prompt Type the following:
 set-executionpolicy remotesigned -force
This will allow local PowerShell scripts to run

●     If you use an account that is being federated (using the custom domain instead of an onmicrosoft.com domain) https://portal.azure.com should redirect you to https://launchpad.classlink.com/<customurl> for login from now on, along with any other Microsoft Service

Step 3:

●     Make sure you have break-glass accounts within Microsoft in case something happens.

○     https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-acc ess

Revert to Entra ID (Azure AD) Managed Authentication

Open PowerShell

1. Run the command
2. Connect-MsolService

After authenticating to your Entra ID (Azure AD) Tenant

 Run the command:

  Set-MsolDomainAuthentication -authentication managed -domainName
<domainname>

Replace <domainname> with your domain you wish to remove federation

Classlink LTI v1.3 (OIDC) SSO Information

Dear Vendor,

Our school is going to add your app as an LTI v1.3 SSO app through ClassLink. Please provide me with the following information:

·         ClientID (generated in the Partner Portal)

·         OIDC Login Initiation URL

·         Target Link URL

·         LTI Message Type (default is LtiResourceLinkRequest)

·         Person SourcedID

·         Role

·         With PII

·         Any Input Fields that I would need

Here is information about our school system and ClassLink:

·         The OpenID Connect (OIDC) discovery endpoint is https://launchpad.classlink.com/.well-known/openid-configuration 

·         The OIDC discovery endpoint contains the following:

o   Issuer ID: https://launchpad.classlink.com

o   OIDC URL: https://launchpad.classlink/com/oauth2/v2/auth

o   JWKS URL: https://launchpad.classlink/com/oauth2/v2/jwks

·         Our SchoolDeployment ID (Tenant ID) is xxxx. (Not all vendors require a Deployment ID, but it's best to include it in case it is needed.)

Thank you so much for your help with this,

Insert Your Name and Contact Information