Users access the Schoolyear application mainly via Single Sign-On (SSO) integration. Using SSO is the easiest way for both instructors and students to log in. If there is no SSO available, it is also possible to create manual user accounts.
Choose which connection applies to your institution:
- Manual user accounts
- SSO-connection Microsoft Entra ID (formerly Azure Active Directory)
- SSO-connection via OIDC
- SSO-connection SURFconext
- SSO-connection Entree
Does your institution use SSO but not one of the options above? Please contact us via support@schoolyear.com, so we can look for an alternative solution together.
Manual User Accounts
Does your institution not use SSO at all? In that case you can create manually user accounts in the admin console.
Step by step:
- Navigate to the admin console
- Select User Management
- Click Invite
- Enter the emailadress and generate an invite link.
Note:
Schoolyear does not send automatic emails
You have to share the invite link manually
Microsoft Entra ID (formerly Azure Active Directory)
-
Register a new application in AzureAD. You can use the following link for quick navigation. Click on "new registration".
- As name, fill in "Schoolyear".
- Under supported account types, keep this at "Single Tenant".
- You can keep the "Redirect URL" blank.
- Navigate to Authentication in AzureAD and click "add platform". Select "Web". Configure the following redirect URLs:
- Navigate to App Roles in AzureAD and click "create app role".
-
-
- You should add 2 roles to your application. You can name they however you want, but one role should represent instructors/invigilators and the other role should represent students. You will need the value later.
-
Important: Make sure that the users that you want to grant acces have the new created roles. To do this, follow these steps:
- Navigate to Enterprise applications in Azure
- Select the newly created application from step 1.
- Assign the roles to groups or specific users under users & groups
-
-
- Navigate to Token Configuration in AzureAD and click add optional claims. Select the checkmark for "the Microsoft Graph Email, profile permission". Select the following claims:
-
- family_name
- given_name
-
- Navigate to API permissions and select "Grant Admin Consent for Schoolyear".
- You have now set-up the application in Azure. Perform the steps below to connect the registered application with Schoolyear.
Step-by-step configuration in the Schoolyear Dashboard
- Navigate to the Admin Console in the Schoolyear Dashboard and select Login settings. Under SSO Provider, select "Azure AD".
- Collect the email domains with which employees and students will later log in to Schoolyear or participate in the device check and fill these in at "Email Domains" in the Schoolyear Dashboard.
- Copy the "directoryID" from the registered application and paste this value under "Directory (tenant) ID" in the Schoolyear Dashboard.
- You can find the directory in the OIDC endpoint as well. Example: https://login.microsoftonline.com/<directory ID>/v2.0)
- Copy the "Application ID" for the registered application and paste this value under "Client ID" in the Schoolyear Dashboard.
- Navigate to "Certificates & Secrets" in AzureAD and create a new secret. Then paste the value under "Client Secret" in the Schoolyear Dashboard. Make sure you copy the value.
- Under "Roles with Users Access", select which roles should have access do the Schoolyear Dashboard. To select a role, type the exact value as set up in the registered application.
- For example: "instructor"
- Usually, all employees of a university have access.
- Under "Roles with Laptop Check Access", select which roles should have access the device check of Schoolyear. To select a role, type the exact value as set up in the registered application.
- For example: "student"
- Usually, employees and students of a university have access.
- Click Save.
- To check if everything is set up correctly. You can perform a device check at check.schoolyear.app
Setup a custom SSO Open ID Connect integration
Setup a new integration with your SSO provider. This process is different for every SSO provider. Once you have setup the new integration, you can perform the step-by-step guide. Some common things for all SSO providers:
-
- You'll have to add a list of allowed URLs. Usually these are similarly named to "web app integrations". You have to add the following URLs
- You should add 2 roles to your application. You can name they however you want, but one role should represent instructors/invigilators and the other role should represent students.
- Schoolyear requires the following claims. If possible, add these claims to your ID token, this will speed-up your login process.
- First name
- Last name
- Roles
- Some organisation ID (such as your Directory ID)
Step-by-step configuration in the Schoolyear Dashboard
- Navigate to the Admin Console in the Schoolyear Dashboard and select Login settings. Under SSO Provider, select "Custom OIDC".
- Collect the email domains with which employees and students will later log in to Schoolyear or participate in the device check and fill these in at "Email Domains" in the Schoolyear Dashboard.
- Copy the Organization ID and paste this value under "Organization ID" in the Schoolyear Dashboard.
- Copy the OIDC endpoint and paste this value under "OIDC discovery URL" in the Schoolyear Dashboard.
- This is the URL that ends in
/.well-known/openid-configuration
- This is the URL that ends in
- Copy the Client ID and paste this value under "Client ID" in the Schoolyear Dashboard.
- Generate and copy the Client Secret and paste this value under "Client Secret" in the Schoolyear Dashboard.
- In the Schoolyear Dashboard, select which additional scopes need to be included
- Under Roles with Users Access, select which roles should have access do the Schoolyear Dashboard. To select a role, type the exact wording as set up in your SSO provider. For example: "instructor"
- Usually, all employees of a university have access to this.
- Under Roles with Laptop Check Access, select which roles should have access the device check of Schoolyear. To select a role, type the exact wording as set up in your SSO provider. For example: "instructor"
- Usually, employees and students of a university have access to this.
- For each of the claims, you must specify the property name of the claim and select whether it is part of the ID token or the UserInfo. If all properties are part of the ID token, the UserInfo endpoint is not called and the login process will be quicker.
- Click Save.
- To check if everything is set up correctly. You can perform a device check at check.schoolyear.app
Setup SSO SURFconext integration
Step-by-step
- Go to your SURFconext dashboard and go to 'Attributes'. Here you will find the 'SchacHomeOrganisation' of your institution. Send this url to support@schoolyear.com.
- Collect the e-mail domains that employees and students will use to log into Schoolyear or will use to do the device check, and send the domains to team@schoolyear.com.
- Schoolyear sends a request to SURF to establish the SSO-connection with Schoolyear. The institution will receive a message of SURF that the institution needs to approve. We like to hear from you when the approval took place. Then Schoolyear can activate the account and finish the SSO-connection.
Setup SSO Entree integration
Step-by-step
- Collect the email domains with which employees and students will later log in to Schoolyear or participate in the device check, and send these to support@schoolyear.com.
- Send a request (see attached form) for the SSO (Single Sign-On) connection with Schoolyear to Kennisnet Entree. Kennisnet will then get back to you when the connection is ready. After that, Schoolyear can activate the account and complete the SSO connection."