SSO Integrations

the sso integrations section allows institutions to manage how ampeducator connects with external systems for secure authentication using oauth 2 0 and openid connect (oidc) these tools make it possible for users to sign in using existing accounts from supported providers — or for ampeducator itself to serve as an identity provider for other platforms this area is designed primarily for it administrators or technical staff who manage authentication and integrations it contains two parts external identity providers (oauth) – configure external oauth 2 0–enabled login providers so users can log in to ampeducator using their existing credentials (e g , google, microsoft) connected applications (oidc) – set up external systems, such as lms platforms, to use ampeducator as their identity provider external identity providers (oauth) the external identity providers (oauth) section allows institutions to configure external oauth 2 0–enabled authentication providers so users can log in to ampeducator using existing accounts, such as google or microsoft when configured, ampeducator uses the user’s email address to identify their account during login the callback urls displayed on this page must be added as valid callbacks in your provider’s configuration these urls are specific to your institution and must be entered exactly as shown ampeducator supports both 3 legged oauth and openid connect (oidc) protocols supported signing methods hs256 and rs256 once a provider is added, you can use the gear icon beside it to test the connection and confirm that it’s working properly adding a new oauth provider to create a new provider connection, click new oauth provider this will open a setup window where you can define the provider details and select between open id connect or oauth 2 0 as the provider type provider type – choose between open id connect (oidc) or oauth 2 0 open id connect is an identity layer built on top of oauth 2 0, typically supporting scopes like openid profile email status – it’s recommended to keep the provider disabled until it’s been tested successfully name – the name of the provider (e g , “google sign in”) description – (optional) any notes or context about this connection discovery document url – if the provider supports auto discovery, enter the discovery url (usually formatted as https //{baseurl}/ well known/openid configuration) and click auto populate to automatically fill the endpoint fields auth endpoint , token endpoint , client id , secret key – enter the required credentials provided by your oauth service scopes – defines which permissions to request from the provider for open id connect, this is typically openid profile email once all required fields are completed, click add to save the provider after saving, use the gear icon beside the provider to test and verify authentication connected applications (oidc) the connected applications (oidc) section allows institutions to configure external systems to use ampeducator as an identity provider this enables other applications—such as moodle—to allow users to log in using their ampeducator credentials each external application that uses ampeducator for authentication must have its own oidc client created and configured in this section the configuration info panel lists the urls and supported parameters your external application will need to connect successfully, including issuer url – the base url for ampeducator’s openid configuration discovery doc url – provides details about supported endpoints and capabilities authorization url , token url , user info url – standard endpoints for handling user authentication, token exchange, and user data jwks url – lists public keys used by ampeducator to verify signed tokens supported parameters – includes response types, scopes (openid profile email), token authentication methods (client secret basic), and signing algorithm (rs256) adding a new oidc client to connect a new system, click new oidc client this opens a modal where you can define the new client and its redirect settings client name – a descriptive name for the client (e g , “moodle login”) client id – a unique identifier that can include letters, numbers, dashes ( ), underscores ( ), and periods ( ) spaces are not allowed redirect uris – one or more redirect urls for your external application, each on a separate line and beginning with https // once the client is added, ampeducator automatically generates a client secret you can then use the configuration information displayed above (issuer url, authorization url, token url, etc ) to complete setup in your external application clients can be edited , revoked , or restored as needed rotate keys ampeducator uses cryptographic keys to sign tokens for authentication these keys can be rotated manually to improve security or when required by your institution’s policy to rotate your keys, click more actions → rotate keys a new set of keys will be generated and applied automatically, and the key rotation field in the configuration panel will update to show the most recent rotation date key rotation does not affect existing oidc clients — they continue to function immediately using the new keys keys can only be rotated once every 24 hours to ensure stability for existing clients it’s recommended to rotate keys approximately every six months