LDAP/LDAPS & Single Sign-On
WCONLINE® allows optional LDAP/LDAPS and single sign-on (SSO) so that students can use their university credentials to log into WCONLINE®. With LDAP/LDAPS or SSO, all clients still have to register by filling out your registration form, but there is no option to change the email address or set a password.
With LDAP/LDAPS, all users--administrative or not--log in on the WCONLINE® login page using their university username and password. If an individual is not yet registered, he or she is taken to your registration form with his or her email address shown in gray with no option to edit it and without a place to enter a password. Someone who is already registered is taken to the schedule.
With SSO, students log in on the university server and are passed to WCONLINE® logged-in. Typically, this is useful when students are already accustomed to logging in at the university to access their course information and other information, and SSO will work with nearly any authentication method you are already using, because authentication is handled entirely on your end. Administrators log in on the WCONLINE® login page. (Tutors who used to be non-administrators and who have taken new positions at the center have to change from logging in through your portal or other login page to logging in on the WCONLINE® login page.) As with LDAP, students who are not yet registered are taken to your registration form with the email address already entered and no option to set a password. Students who are already registered are taken straight to the schedule.
With SSO, you can attach a piece of data to a student's login, and that piece of data shows up on the logged-in student's appointment form. For example, if your appointment form asks which course a student needs help with, you could use SSO to show each student a list of his or her own courses in a drop-down selection as the answer to that question.
For both LDAP and SSO, you can find all instructions, question bubbles and examples within Global System Settings. In Global System Settings, click "authentication & language" in the links at the top to jump to the section that lists "Integration Options." (You will be a couple of options above the color selections if you start scrolling first.) Click the "click here" next to "Integration Options." Since you will most likely have someone from your IT department working on this, you might choose to make that person a full administrator. (Or, "you," the person reading through this, might be someone in IT.) Once the authentication method is selected and the settings are entered, saved, tested and made live, the login method is up and running.
In case you are looking for a quick reference as to why your authentication method is failing: A few common reasons to see one of the authentication methods failing would be if the university firewall is blocking the LDAP connection, if the LDAP server is not accepting the connection, or if the time settings for SSO are incorrect. The IP addresses that need to be allowed through your firewall are 18.104.22.168, 22.214.171.124, and 126.96.36.199. And these are listed in the instructions that appear once you have selected LDAP/LDAPS as the authentication method.
A note on administrator email addresses and passwords with SSO: For security, administrators have to log in via the WCONLINE® login page, but, because students have to be directed to log in on your own page (via a link that you have specified in the SSO settings), there is no "click here to register" link on the login page. If you are already logged in as a full administrator, have already added other email addresses as full and basic administrators and are wondering how to have these people register, note that you can always register any individual using your "Add a New Client" form. Click the profile-of-a-face icon at the top left of your schedule view to enter any email address, name and password (and any other information desired). That new administrator can log in using the email address and password you have entered.
With both LDAP and SSO, under your own login, even as an administrator, you will not be able to use Update Profile & Email Options to change your own email address or password. To change your own email address and/or password, go to Manage Clients & Records, find your own name, and click to "edit profile/password." Also, as a full administrator, help any other administrator by finding his or her name in Manage Clients & Records and clicking to "edit profile/password." (You do not normally have to change your email address or password. If you are using LDAP or SSO, a possible reason to change an email address would be if there were a change to all or most university email addresses, or if you or another individual has had a change of last name with a corresponding change to email address. If you are using SSO, a reason to change a password would be if you are logging in as an administrator and want to use a different password.)
Also note that all integration options are optional. Most centers simply have everyone register and log in on the WCONLINE® login page. And, you can use the registration email confirmation in Global System Settings to verify email addresses.
The screen shots in this chapter are from our demo, where the contact information is for support and sales. And, here, we use examples such as "your-university" and "university.edu" for email addresses and domains. On your own site, the contact information is for your center, uses the email address entered as the "system email" in Global System Settings and uses your real domain. Please do not copy the settings from these screen shots, as your university's settings are different from these and are unique to your university.
SECTION 1: LDAP Instructions and Settings
SECTION 2: Testing LDAP Settings
SECTION 3: LDAP Registrations and Logins
SECTION 4: LDAP with Card Reader Support
SECTION 5: SSO Instructions and Settings
SECTION 6: Data Map with SSO
SECTION 7: SSO Registrations & Logins
SECTION 8: SSO with Card Reader Support