SSO
      Back to home
      1. DevPath University
      2. SSO

      Setting up SSO with Azure AD (Active Directory)

      This guide will help you set up Azure AD SSO for your company.

      ?width=600&height=315

      Access: You should have Manager/Admin Educative Access to set this up, in addition to having Admin Access within your Azure/O365 instance to take this action. If you do not have this access, please reach out to your IT or Security team to partner in activating this SSO feature. 

      Educative provides Single Sign-On (SSO) functionality for customers to access our platform through Azure Active Directory (Azure AD) SSO. 

      Steps

      Making sure SSO is Activated

      Step One - Setup in Azure AD

      Step Two - Setup in Educative

      Making sure SSO is Activated

      Before Going Further: At the main dashboard, when you open the Gear ⚙️ menu in Educative and do not see "SSO Configuration," you will need to reach out to our team to activate that on your account. Please email enterprise@educative.io so we can activate this for you. Please include your wanting to activate Azure AD SSO in your message. 

      If we have turned this on for you, you should see SSO Configuration in your Gear ⚙️ Menu:

      Screenshot 2023-05-19 at 2.56.10 PM

      Once there, click into SSO Configuration and you will be taken to a new page:

      AzAD-EducatSSO

      Click Activate.

      Another page will appear, and you are looking mid-way down for the "Login URL."

      You'll see something like this:

      https://www.educative.io/api/azure-ad-sso/XXXXXXXXXXXXX

      The XXXXXXXXXXXXX above is your Org_ID. You will need this for the Azure AD App setup, so keep this tab open, and then proceed to Step One below. 


      Part One - Within Azure 

      Make the Azure AD application through Azure AD Portal

      Note: If your Azure application has already been created, skip to Part 2.

      i) Login/Sign-up to Azure AD with the administrator credentials: https://portal.azure.com/
      AzADhome

      ii) Create a new App

      a. Register an App
      Click on the App Registration button. If it is not already visible on the homepage, you can search for it at the top.

      AzADapp_reg

      b. Register an application

      You'll be redirected to a new page in the same tab and will want to click on "Register an application"

      AzADnew_app

      c) Fill in the Form

      1. Name - Update the name to "Educative" or "Educative-Your Company" or something that easily reminds you of what application/company this is for. 
      2. Supported Account Types - Unless otherwise directed by your IT team, select "Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft Accounts (e.g. Skype, Xbox)"

      3. Redirect URI
        1. Select "Web" in the first drop-down field.
        2. Copy and Paste this Redirect URI link to the next field:  
          https://www.educative.io/api/azure-ad-sso/return/org_id
        3. If you have closed your tab with Educative open, click here to head back, open a new tab in your browser and copy the number at the end of your Login URL.
        4. After pasting, be sure the org_id in the redirect URI matches with your company's org_id from Educative.
          Example:

          If your org_id is 12345678910 then the redirect URI should look like this:

          https://www.educative.io/api/azure-ad-sso/return/1234567890
      4.   Click Register.

      AxADexport

      After clicking Register, there are a few steps still needed. 

      You should see this page (or something similar):

      app_view

      iii) Set additional redirect URI fields

      From the screen above, navigate to Redirect URIs.

      You can do this 2 ways: 

      Click on 1 web, 0 spa, 0 public Client link as seen above, or head to the Authentication menu on the left.

      Once there, you'll see Implict grant and hybrid flows

      Fill out the form this way:

      1. "Select the tokens you would like to be issued by the authorization endpoint "
        1. Choose only ID tokens (used for implicit and hybrid flows)
      2. "Supported Account types"
        1. Select Accounts in this organizational directory only (Default Directory only - single tenant)
      3. Advanced Settings > Allow public client flows
        1. Enable the following mobile and desktop flows: Select "No"
      4. Click Save.

      Example:

      uri_home

      2. Create new Client Secret

      Note: If you already have a client's secret for your app, skip to part 3

      From the Authentication menu, now head to the left Manage menu again and click the Certificates & secrets menu.

      Once loaded, click on + New client secret.

      A menu will slide open from the right, "Add a client secret." Fill this out as follows:

      1. Description: Educative-client-secret
      2. Expires: (select from the drop-down) 24 Months 
      3. Click Add

      You've created the client secret and it should now look like this:

      AzADsecret_done

      3. Add API Permissions

      From the Certificates & secrets menu, now head to the left Manage menu again and click the API permissions menu.

      In the same way you created a client secret, click +Add a permission

      Another menu will open from the right, "Request API permissions."

      Be sure to have selected the "Microsoft APIs," and then click Microsoft Graph.

      The Microsoft Graph menu will them load, and should look like this:
      AzAD API

      Click on Application permissions, then click to check the box for the User.Read.All permission, and then click the Add Permissions button. This will close the right menu, and bring you back to the API permissions main area, and you'll notice the addition of User.Read.All

      Next, Click the "Grant admin consent for Default Directory" as seen below:

      AzAD API2-1

      Once this is done, head back to the left menu, click Overview at the top left, and leave this tab open.

      Part Two - within Educative

      Head to Educative- if you have left the tab open from earlier, head there now. If you have not, or have been logged out, head here: https://www.educative.io/login

      Now we'll head to the Gear ⚙️Menu, and Select SSO Configuration.

      Now click Edit/Activate the Azure AD instance- these fields should populate:

      sso_tab

      Heading back to the Azure Tab you left open earlier, one at a time, copy and paste the different pieces from your Azure portal from the Overview menu:

      Azure AD Portal Educative
      Application (client) ID Client ID
      Directory (tenant) ID Tenant ID

      Before closing this tab, we need to get the client secret we created. 

      Head to the left menu in Azure and click Certificates & secrets and look for the name we made earlier, Educative-client-secret. 

      We want the Value, not the Secret ID- click the copy icon 📑 and then paste this too, into the Client Secret field in Educative. 

      Double-Check that you've entered all the requested info from Azure. 

      Head back to Educative, and click Save Configuration.

      You Did it! 🥳🎉

      If you have any questions, please let us know by emailing enterprise@educative.io