SAML 2.0 SSO

With Xello SSO, students can log into their account and then access Xello without a separate login.

FYI: To learn more about how SSO works in Xello, see the articles How Student SSO Works and How Educator SSO Works.

If you're establishing a trust between Xello and Active Directory Federation Services (ADFS), follow these instructions:

  1. Open ADFS Management.
  2. At the top left of the screen, click the ADFS folder and choose the Add Relying Party Trust option from the actions menu (on the right of the screen by default).
  3. Click Add Relying Party Trust Wizard, which will allow you to choose a metadata file. Choose the following XML file: Click Here
  4. Once you’ve entered the URL, you can finish the wizard by clicking Next multiple times and leaving the other options set to default.
  5. You’ll now see the recently added Relying Party Trusts folder (in the Trust Relationship folder). Highlight the newXello Relying Party Trust and then click the Edit Claim Rules link in the action menu to the right.
  6. Add a new rule using the template Send LDAP Attributes as Claims and call the new rule sso-token, making sure the entire sso-token name is in lowercase and not in quotes. Click OK to save the custom rule.
  7. Note: The LDAP Attribute is very important as it represents the attribute in your Active Directory that identifies a user’s unique identifier (e.g. samAccountName, StudentId, or employee-id are all common attribute names). Whatever attribute you choose, it must be something that Xello has pulled from data integration, like the Student ID or email address.
  8. Right-click Xello Relying Party Trust and select Properties. Choose the Advanced tab and make sure that the Secure hash algorithm is set to SHA-1.
  9. Once setup is complete on your end, your Onboarding Manager will require the following configuration information to complete the process:
    • Your Federation Service identifier. You can find this by right-clicking the ADFS folder and selecting Edit Federation Service Properties. It will be the value in the Federation Service identifier field.
    • The URL you’d like users to return to when they log out of Xello.
    • The user attribute name that you set up in your sso-token claim rule. We need this so that we can configure our system to look up users based on the correct attribute (e.g. Student ID or email address).
    • A copy of your Token Signing Certificate that we can install on our server. You can export your certificate by right-clicking on the certificate and clicking View Certificate. From there, you can go to the Details tab and click the Copy to File button, which will then allow you to export the certificate to file.
    Note: Xello’s mail server will block .cer attachments, so please zip the certificate before emailing it to us.
  10. When configuration is complete, your Onboarding Manager will send you a URL that can be placed in your LMS or Intranet, or provided directly to students. Where {DistrictToken} is your unique Xello district token, the URLs will look something like this:
    • For Students: https://auth.xello.world/student/saml?DistrictToken={DistrictToken}
    • For Educators: https://auth.xello.world/educators/saml?DistrictToken={DistrictToken}

Still need help? Contact Us Contact Us