Azure (SSO)

Azure Active Directory single sign-on (SSO) integration with Campus Cafe

Campus Cafe can utilize Microsoft Azure Active Directory to authenticate users logging in to Campus Cafe. If you want applicants and students to automatically be created in Azure upon their creation in Campus Cafe, you should follow these directions and then configure Azure Activity Directory to create accounts.

In this tutorial, you'll learn how to integrate Campus Café with Azure Active Directory (Azure AD). When you integrate Campus Café with Azure AD, you can:

  • Control in Azure AD who has access to Campus Café.

  • Enable your users to be automatically signed-in to Campus Café with their Azure AD accounts.

  • Manage your accounts in one central location - the Azure portal.

To learn more about SaaS app integration with Azure AD, see What is application access and single sign-on with Azure Active Directory.

Prerequisites

To get started, you need the following items:

  • An Azure AD subscription. If you don't have a subscription, you can get a free account.

  • Campus Café web-based product.

  • Contact Campus Cafe support for a metadata file.

Scenario description

In this tutorial, you configure and test Azure AD SSO

Adding Campus Cafe from the gallery

To configure the integration of Campus Café into Azure AD, you need to add Campus Café from the gallery to your list of managed SaaS apps.

  1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

  2. In the upper left click the three-bar main menu.

  3. On the left navigation pane, select the Azure Active Directory.

    AzureActiveDirectory.png
  4. Navigate to Enterprise Applications and then select All Applications.

    Enterpriseapplications.png
  5. To add new application, select New application.

  6. In the Search application box, type Campus Café 

  7. Click Campus Café 

  8. Click Create

  9. Wait a few seconds while the app is added to your tenant; a new screen will appear; when the new screen appears proceed to choosing groups/users that may access Campus Cafe

Choose Microsoft groups/users that may access Campus Cafe

Specify the Microsoft groups and/or specific users that may access Campus Cafe. Campus Cafe recommends first giving access to a test user and then returning to add the production groups/users.

  1. Click the Assign users and groups tile

  2. Click Add user

  3. Choose your group(s) or specific user(s) and Assign them

Set up single sign on

  1. Return to the Campus Cafe overview screen. If you were on the Users and Groups screen, on the left click overview

  2. Click the Set up single sign on tile

  3. Click SAML

  4. Click Upload metadata file

  5. Choose the file sent from Campus Cafe support

  6. Click Add

  7. A new sidebar will open and the relevant fields will populate automatically based on the metadata file

  8. In the Sign-on URL text box, type a URL using the following pattern: https://{Your-School-Code}-web.scansoftware.com/cafeweb/loginsso

  9. Click Save

  10. In the upper right click the X

  11. Do not Test if given the option

Set up Certificate

  1. In the SAML Signing Certificate box, click Add a certificate

  2. Click New Certificate
    Signing Option: Sign SAML assertion
    Signing Algorithm: SHA-256

  3. Click Save

  4. In the upper right click the X

  5. In SAML Signing Certificate box next to Federation Metadata XML click Add a certificate

  6. For the Signing Option choose Sign SAML assertion

  7. For the Signing Algorithm choose SHA-256

  8. Click Save

  9. The SAML Signing Certificate should now appear; Next to Federation Metadata XML click Download

  10. Save the file to your computer

  11. Send the file to Campus Cafe support

Users in Campus Cafe

For a SSO user to authenticate with Azure, the user must have a user account in Campus Cafe. The username in Campus Cafe must match the Azure username. If you want applicants and students to automatically be created in Azure upon their creation in Campus Cafe, you should follow these directions and then configure Azure Activity Directory to create accounts.

Manually create account in Campus Cafe

  1. Navigate to Admin > Permission Maintenance

  2. Click Lookup Person

  3. Search for the individual for which to create or edit an account and select the individual

  4. In the Permission Group drop down choose the Campus Cafe permission group that will control access within Campus Cafe

  5. In the Username box enter the user's Azure username (typically the user's institution-provided email)

  6. Ensure the Password is blank

  7. Click Save

Campus Cafe recommends removing all passwords stored in Campus Cafe to avoid conflicting credentials.

Disable Campus Cafe Password Change

With Azure controlling authentication, users should change passwords through Azure, not Campus Cafe. To avoid confusion, Campus Cafe recommends disabling the change password link for all Campus Cafe permission groups. Set permissions #206 and #235 to NA for all permission groups.

Configure Error Message for User Not in Campus Cafe

If a user belongs to a Google organization that has access to Campus Cafe, the user will see a link to Campus Cafe in his or her Google App Launcher (the nine dots in the upper right). If the Google user does not have an account in Campus Cafe, an error will be displayed. 

To customize the error message:

  1. Navigate to Admin > Adjustable Text

  2. Locate LOGINSSO_ERROR

  3. Click the pencil next to LOGINSSO_ERROR 

  4. In the Value box (the large box) enter the error message to display to a user (e.g. You do not have access to Campus Cafe. Contact IT Support at 555-5555 for assistance.)

  5. Click Save

  6. Refresh the cache by navigating to Admin > Refresh Data Cache

Configure Campus Cafe Logout Button Behavior

By default, clicking the logout button in Campus Café does not end the SSO session. With the SSO session still active, a user will be able to access Campus Café without logging in.

Configure Campus Café logout button to end SSO session

  1. Navigate to Admin > Web App Config

  2. Locate parameter LOGOUT_SSO_URL

  3. In the Value box enter https://***-web.scansoftware.com/Shibboleth.sso/Logout replacing *** with your school code

  4. Click Save

Time Out Behavior

By default, Campus Café signs out a user after 30 minutes of inactivity. (This may be extended by contacting Campus Café support.) However, the user’s SSO session will remain active for as long as configured through the SSO. If the SSO session is still active, the user can access Campus Café without logging in. Essentially, the SSO time out setting takes precedence over the Campus Café time out.

Accessing Campus Cafe (Sign on Link)

Once SSO and users are configured, users can access Campus Cafe by through the Office.com portal by clicking All apps then Campus Cafe. Alternatively, users can be directed to https://{Your-School-Code}-web.scansoftware.com/cafeweb/loginsso