Switching over from Wonde Single Sign-On to MyLogin?
If you are switching over from the now deprecated Wonde Single Sign-On product, please remember the following:-
- You will need to inform Wonde when you begin your set up of MyLogin so that we can switchover your Wonde School Portal to v2, which is required to allow access to the MyLogin setup wizard.
- Once switched over Wonde School Portal v2, schools will not be able to utilise their Wonde Single Sign-On credentials.
- You will need to redistribute credentials when you've switched over to MyLogin.
- If you previously used Wonde Single Sign-On as the identity provider for Google Workspace and ChromeOS devices, you will need to change the URLs in your SAML profiles or create new ones. This is covered later on in this guide.
- You will need to add your apps again in MyLogin.
- Do not revoke Wonde Single Sign-On from your Wonde School Portal until the end of your MyLogin setup. This is to allow the sharing of credentials for saved password applications between the old and new platforms
- You will still need the Wonde Chrome extension for saved password apps.
Prerequisites
To configure MyLogin as an identity provider (IdP) for the Google Workspace the following prerequisites must be met:
- You must have Google Workspace setup and devices provisioned in an OU.
- Access to Google Workspace as a super admin.
Before proceeding with the setup, add the app "MyLogin" as a trusted app on this page in the Google Admin Console to avoid connection issues in the first step of the setup wizard.
Complete the MyLogin Device setup wizard
Step by Step guide:
- Navigate to school.wonde.com and log into your school's Wonde School Portal.
- Mouse over the MyLogin Device tile and click Launch (click on the tile and approve the permissions for MyLogin to access the required data via Wonde first, if you haven't yet done so).
- Create a password for your MyLogin admin account.
- Confirm you want to use Wonde as the source of truth for user creation.
- Your new MyLogin users will begin to import from your MIS via Wonde.
- When your users finish importing, click Lets go! to move to the final stage of the setup wizard.
- Select Connect with Google to connect MyLogin to your Google account. If you'd like to connect both Google and Microsoft, you will be able to add Microsoft in Settings once the setup wizard is complete.
Note: Please make sure app.mylogin.com is allowed on your network.
- You can select your user domain and the Organisational Units from which you'd like to make users available for matching.
- Save settings, and then go to Manage connection and Sync users from Google.
- After you have linked the Google Workspace from step 10 you will need to go inside MyLogin to Users > User matching and match the Google users to the Wonde data. You can filter the list along the top. We suggest filtering via "suggestion confidence" and then "strong". Look through the list to ensure all users match and then you can toggle the top left box to select all filtered users and select "accept suggestions for Microsoft". Do the same for Medium and Weak but please ensure that you carefully look through to make sure MyLogin is matching them correctly.
- Once all users are matched you may wish to consider distributing the credentials out to users before proceeding to make MyLogin the IDP for the Google environment. To do this head to Users > Overview and you can use the filters to narrow down the list where you can toggle the top left box to select all the currently filtered users and then choose which credentials to download (Press the "download" button). This will provide you with a PDF which you can rename to suit. Repeat this for all groups as necessary.
Set up your Google Workspace tenant for signing into Chromebooks using your MyLogin credentials
Step by Step guide:
-
Navigate to Security > Authentication > SSO with third-party IdP.
-
Click on Third-party SSO profile for your organisation at the top of the page.
-
For the Sign-in page URL enter https://app.mylogin.com/saml/login (in Australia use app-ap-southeast.mylogin.com/saml/login).
Obtain your MyLogin Organisation ID from your MyLogin admin dashboard Settings page under Account, as in the screenshot below. Add your MyLogin Organisation ID to the end of the login URL e.g. https://app.mylogin.com/saml/login/A129183376
-
For the Sign-out page URL enter https://app.mylogin.com/logout
-
Download our Identity Provider certificate from https://app.mylogin.com/downloads/cert.pem
-
Upload the certificate under Verification certificate.
-
Enable Use a domain-specific issuer.
Note:
You can set up MyLogin as an additional SSO profile rather than the main organisation third-party IdP SSO profile by clicking Add SAML profile under Third-party SSO profiles. You will need to include the entity ID, which will be https://app.mylogin.com/saml/metadata/ and you'll also need to apply the MyLogin organisation ID to the end of the URL which you can find by following step 5 above.
You will also need to assign this SAML profile in Manage SSO profile assignments, to the organisational unit(s) for the devices on which you want to use MyLogin as the identity provider.
- (Optional) You may wish to limit the effects of MyLogin to a specific sub-set of users. If you have set up an "SSO profile for your organisation" (as opposed to a "Third-party SSO profile"), you may still want that organisational profile to only be in effect for certain Organisational Units.
If this is the case, then you will need to make sure that you use the Manage profile assignments section of the "SSO with third-party IdP" page to designate the users in which organisational units are required not to use the SSO profile for your organisation and those that are. You can find more on this in the section at the bottom of this article. -
At the bottom of the section, click Save.
-
Navigate to Devices > Chrome > Settings > Device Settings
- Select the Organisational Unit you are using for your MyLogin-enabled Chromebooks on the left-hand side.
-
Under Single Sign-On IdP Redirection, set Redirect users to SAML SSO IdP to Allow users to go directly to SAML SSO IdP page.
-
Under Single Sign-On Cookie Behaviour, set the configuration to Enable transfer of SAML SSO Cookies into user session during sign-in.
-
Under Single Sign-On Camera Permissions, add https://app.mylogin.com (in Australia use app.ap-southeast.mylogin.com) (coming soon)
-
Under User data, select Erase all local user data.
-
Navigate to Devices > Chrome > Settings > Device settings > Privacy sign-in screen set to Always disable the privacy screen on the sign-in screen.
-
At the top of the page, click Save.
-
Navigate to Devices > Chrome > Settings > User & browsers.
- Select the organisational unit(s) that you want to affect with the third-party IdP on the left of the page.
-
Under Security > Single sign-on, set SAML-based Single Sign-On for Chrome OS Devices to Enable SAML-based single sign-on for Chrome devices.
-
Search for Cookies; under Content, set Default Cookie Setting to Allow the user to decide OR Allow cookies.
-
At the top of the page, click Save.
Additional settings
The following steps can provide the best user experience, they are not mandatory for MyLogin Device's functionality.
-
Navigate to Chrome > Devices > Users and browsers.
- Select the Organisational Unit containing the users who will be logging in with Chromebooks.
-
Under Security, set Lock Screen to Do not allow locking screen.
-
Under Idle Settings, set Action on idle to Logout, Action on lid close to Logout, and Lock screen on sleep to Lock screen.
-
If using MyLogin SSO. Under Pages to Load on Startup, enter https://app.mylogin.com. If not using the MyLogin SSO system please do not add this.
- At the bottom of the section, click Save.
Setting up MyLogin as an identity provider for select organisational units
By following the steps below, users in the organisational units you choose to be affected by MyLogin as your Google identity provider will be required to log into Google Workspace with MyLogin credentials on ANY device.
-
In the Google Admin Console, navigate to Security > Authentication > SSO with third party IdP and scroll to the bottom of the page. Under Manage SSO profile assignments for organisational units or groups, click Get Started (or "Manage" if you have used this area before).
-
Select an Organisational Unit on the left-hand side of the page as marked in red below, and then select Organisation's third-party SSO profile on the right-hand side of the page. Alternatively, if you want the users in the Organisational Unit you have selected to use Google credentials to access Google Workspace, select None.
(If you select Organisation's third-party SSO profile and you want to use MyLogin as the IdP for Google Workspace, then you need to ensure you've followed the steps earlier in this guide to select SAML SSO login as the form of authentication for the selected Organisational Unit).
Comments
0 commentsPlease sign in to leave a comment.