Skip to main content

Setting-up Azure Entra with Classlink

Notes

This is an all or none type of configuration. Once enabled all users of the domain will be redirected to Launchpad for authentication in all Microsoft applications. Users previously Authenticated to Office 365/Entra ID (Azure AD) may need to reauthenticate their desktop applications. Office365 Administrator accounts will not be affected by this workflow.

Prerequisites

  • Authenticate to LaunchPad with AD (technically could be Google as well but unlikely)
      • District’s Azure user profile must contain an ImmutableI   
      • If the district uses Azure AD Connect, it’s handled  
      • If the district enters users manually, it’s handled  
      • If the district uses OneSync for Azure, it can be handled in the configuration
  • Add Verified Domain to Entra ID (Azure AD)
    •  Do not make it primary.
  • Install MSOnline PowerShell module
  • Install Azure Active Directory Connect and configure it Do not federate via this method.
  •  Active Directory should be connected in launchpad under settings > domain gear icon
  •  Active Directory Groups should be imported into launchpad

Step 1

1.       In the Classlink tenant SAML Console, Create a new SAML configuration by copying existing and selecting “A New SAML App (template)”

2.       Configure the following options.

o   Metadata URL

          https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationme tadata.xml

o   Loginurl with custom login, e.g. https://launchpad.classlink.com/<customurl>

o   Attribute Mapping

          Select “Custom Attribute”

     Change name of the custom attribute to “IDPEmail”

     Add {email} in the data field

o   MetaOverrides

          Logout Service URL (POST)

     https://login.microsoftonline.com/common/oauth2/logout

          NamedID Format

     Persistent

          NameID Custom Value

     {ldapguid:hexbase64}


o   Save or Update

Step 2

     Copy the metadata URL and modify the PowerShell Script below

     Use this PowerShell Script, change the file extension to “.ps1” after downloading - You may need to unblock the file and change your execution policy on the server

o   https://drive.google.com/file/d/1RygKi9I7PmLio6yL1EWihQbn3jerS68X/view?usp=drive

_link

Azure AD PowerShell Code 
<#
.SYNOPSIS
    Federate Microsoft Entra ID (Azure AD/Microsoft Online Services) to ClassLink for IdP Services.

    Change the <GUID> in the $idpMetadataUrl to be the GUID from your SAML console App.
    Change $DomainName to match your domain name that is going to be Federated
    Change the script extension to ".ps1"

    *NOTE: you may need to set the PowerShell Execution Policy to remote signed or bypass temporarily.

#>

Install-Module -Name MSOnline
Import-Module MSOnline

$idpMetadataUrl = "https://idp.classlink.com/sso/metadata/<GUID>"

$DomainName = "<your domain name>"
$metadataxml = [Xml](Invoke-WebRequest -Uri $idpMetadataUrl -ContentType "application/xml").content

$cert = -join $metadataxml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
$issuerUri = $metadataxml.EntityDescriptor.entityID
$logOnUri = $metadataxml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
$LogOffUri = $metadataxml.EntityDescriptor.IDPSSODescriptor.SingleLogoutService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
$brand = "ClassLink Identity"
Connect-MsolService
$DomainAuthParams = @{
    DomainName = $DomainName
    Authentication = "Federated"
    IssuerUri = $issuerUri
    FederationBrandName = $brand
    ActiveLogOnUri = $logOnUri
    PassiveLogOnUri = $logOnUri
    LogOffUri = $LogOffUri
    SigningCertificate = $cert
    PreferredAuthenticationProtocol = "SAMLP"
}

Set-MsolDomainAuthentication @DomainAuthParams

 

     Hit enter key to run

o   If you receive an error regarding scripts being disabled.

          Open an elevated PowerShell prompt

          Type the following without Quotation Marks “set-executionpolicy remotesigned

-force”

          This will allow local PowerShell scripts to run

     If you use an account that is being federated (using the custom domain instead of an onmicrosoft.com domain) https://portal.azure.com should redirect you to https://launchpad.classlink.com/<customurl> for login from now on, along with any other Microsoft Service

Step 3:

     Make sure you have break-glass accounts within Microsoft in case something happens.

     https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-acc ess

Revert to Entra ID (Azure AD) Managed Authentication

1.       Open PowerShell

a.       Run the command

i.       Connect-MsolService

b.       After authenticating to your Entra ID (Azure AD) Tenant

c.       Run the command

i.       Set-MsolDomainAuthentication -authentication managed -domainName

<domainname>

ii.       Replace <domainname> with your domain you wish to remove federation

Back to top