Step 1: Go to Cloudwork Dashboard and Add a new SSO Service.
Above: Click on 'Single Sign On' button. Below: 'Add new Service'
Now add "Custom SAML Service"
Step 2: Configure New Service Metadata
You will now see a screen like this where you can enter the fields
The fields are explained as per the below table:
- Name: Type "EnrolHQ" (note in the screenshot it says "EnrolHQ Demo" for training purposes only)
- Entity ID: "https://enrol.school.qld.edu.au/saml2/metadata/" where you replace "enrol.school.qld.edu.au" with your schools EnrolHQ subdomain
- Assertion Consumer Service: "https://enrol.school.qld.edu.au/saml2/acs/" where you replace "enrol.school.qld.edu.au" with your schools EnrolHQ subdomain
- Single Logout Service: "https://enrol.school.qld.edu.au/saml2/ls/" where you replace "enrol.school.qld.edu.au" with your schools EnrolHQ subdomain
- NameID Value: This is a dropdown list where you should choose 'Email'. EnrolHQ does an email match on the existing users set-up inside against the user who's trying to login via Cloudwork SSO to determine if that user should be allowed to log-in.
- NameID Format: leave this as emailAddress
- Login URL: "https://enrol.school.qld.edu.au/saml2/login/" where you replace with your schools EnrolHQ domain.
Now click Submit and the Cloudwork side should be set up.
You will need to copy the Entity ID metadata URL for pasting into EnrolHQ.
Step 3: Configure EnrolHQ SAML
Inside EnrolHQ, you will need to login as a user with 'Admin' privileges (that is you have the 'Admin' role attached to your user). Then you will be able to go to User Management > SAML Settings in the main left hand menu.
- Toggle it to 'Enabled'
- Name it 'Cloudwork SSO'
- Paste the metadata URL copied from Cloudwork in the previous step into the IdP Metadata URL field.
Click Save and you will see the full set-up.
Step 4: Test and then Force SSO for EnrolHQ Users
As with Microsoft Azure AD, you will need to add users and/or groups to your Cloudwork SSO service for EnrolHQ before it will work. The user with the same email address already has to exist inside EnrolHQ too. There is no auto-provisioning of accounts (as that is a security risk). The 'Admin' in EnrolHQ needs to review the users inside EnrolHQ and make sure they are assigned to the correct roles. Once you test that the SSO works, you will need to go to the Users page and toggle 'Password Auth' to off so that those users cannot use their old EnrolHQ username/passwords anymore and must use SSO.
Conclusion:
Configuring EnrolHQ to use your school's identity provider whether it be Cloudwork, Azure, Okta or others is an easy way to improve your school's IT security posture. Not only does it make life easier for school admins to log-in but IT now has a way to centrally monitor, log and provision user accounts with the correct access privileges. At EnrolHQ we believe that security should be baked into the product as standard so SAML-based SSO authentication is available at no extra cost.
Just log-in as an 'Admin' and you will see the configuration page under User Management > SAML Settings. If you have any questions always feel free to contact us at support@enrolhq.com.au