Active Directory SSO illustrated setup guide

This method might be new to you, but some pictures should help

These instructions and screen images apply to Azure Active Directory. We will not be directly creating an 'Enterprise application' in AD since that method doesn't enable the OIDC option.

 

1) In Active Directory select App registrations

 

2) Click New registration at the top of the blade.

  • On the app registration screen enter BECOME Education Apps as the Name.
  • Select account type: Single tenant. If you are configuring for a school system that has schools in multiple AD directories, pick Multitenant without personal accounts).
  • Select Web in the Redirect URI section and enter https://ident.become.me/oauth2/callback 
  • Click the Register button

 

3) Click Certificates & Secrets and then + New client secret.

  • Type BECOME Education secret in the Description field
  • Set Expires to 24 months (this is the maximum period supported)
  • Click Add

 

4) Click Token configuration then + Add optional claim

  • Select Token Type of ID
  • Tick the email option in the claim section
  • Click the Add button

 

5) This message box will appear. Tick Turn on the Microsoft Graph email permissions and press Add as shown:

 

6) The Optional claims section should look like this now:

7) Go back to the Certificates and secrets section. 

Record the value property of the BECOME Education Secret. This is the Client Secret that you need to provide to BECOME support.

 

8) Return to the top level of Active Directory and click on App registrations in the left panel. You should see BECOME Education Apps in the app list. 

Record the Application (client) ID value for BECOME Education Apps

 

9) Click the Endpoints icon at the top of the App registrations blade

Record the OpenID Connect metadata document address

 

10) Create an email to support@become.education. Please provide your contact details, school, and the following details:

  • Application (client) ID
  • Client Secret value
  • URL for endpoint discovery / metadata document.

 

11) Send the email to Support.

  • We will configure our system and create a test account for you
  • When the account is available, connect to each of our apps an attempt to login.
  • More details about how to verify your test results will be provided in the email response from us.
  • You'll need to consent to the permissions request for your organization