Setting up Single Sign-on (SSO) allows students and staff to log in to Atomi securely using your school's existing Identity Provider (IdP). With SSO enabled, students and staff won’t have to remember their Atomi passwords, and it makes it simpler to control who has access to Atomi at your school.
Atomi allows SSO via any system that can support the SAML 2.0 protocol. The good news is that this is the case for almost all modern directory services, including Google GSuite, Azure Active Directory, Microsoft AFDS, Clever, Okta and many more. If you’re not sure if your system is supported, please ask your Atomi account manager or contact support to check.
Although setting up SSO is simple, we recommend that this is done by someone familiar with configuring your school’s Identity Provider, such as a member of your IT team. The Atomi team is happy to support you or your technical contact through this process, so please don’t hesitate to reach out to support@getatomi.com if you have any questions.
Setting up SAML SSO for your School
Step 1: Configure Atomi in your School’s Identity Provider (IdP).
You’ll need to add Atomi as a new Service Provider (SP) in your school’s Identity Provider (IdP). During this process, you will be asked to enter Atomi’s SAML metadata which is available at the following link: https://learn.getatomi.com/saml-metadata.
Technical notes:
In order to prevent man-in-the-middle attacks, Atomi does not support Identity Provider Initiated logins at this time.
The default SAML configuration for most providers works out of the box, but for some systems, you may need to configure the assertions manually. When a user logs in via SSO, we use the user’s email address to match them up with their respective Atomi account, and in order to do this, we require that the
NameIDattribute is asserted during the SAML exchange process, formatted as perhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
Step 2: Ensure the correct users or groups have access to Atomi in your IdP.
When you create a new Services Provider, you will need to choose the users or groups that can access it. Ensure that all the users who will need access to Atomi have been granted permission to use the new Service Provider you added in Step 1.
Step 3: Ensure all your students and teachers have been set up with an Atomi account login.
Each user will need to have an activated Atomi account to log in using SSO. If you haven’t set up all your users, you can invite them to our school account via your account settings or ask our team to invite all your users based on your class lists. For more info, see our guide to setting up your school account.
Step 4: Request to enable SSO on your school’s Atomi account.
Have either an Admin or the Owner of your school's Atomi account email a request to support@getatomi.com in the following format:
Hi Atomi,
I have completed Steps 1 and 2 of the Atomi SSO setup guide and I am ready for SSO to be activated on my account.
The details of our SAML setup are as follows:
The name of my school is: <Insert school name here>
The system we use as our identity provider (IdP) is: <Insert the name here, e.g. AFDS, Azure active directory, Google GSuite etc.>
My SAML metadata is attached to this email, or publicly available at the following URL: <Insert your SAML metadata URL here, e.g. https://myschool.com/saml or attach a copy of your metadata XML file to the email and just say 'Attached'>
I’d like the following email address to be listed as the technical contact for SSO issues with my account: <Insert the appropriate contact email here>
I understand that once SSO is activated on my account, all users will receive an email letting them know that when their next login they will be redirected to your school’s SSO application, and they will no longer be able to access Atomi using their email and password: <Insert “I understand” here>
Signed,
<Insert your name here>