Ready to move forward with an integration? Complete the SSO Request Form to begin the process and a member of the DE Technical Integrations team will be in touch.
Overview
Discovery Education offers the ability to integrate with a district’s Active Directory (AD) using Lightweight Directory Access Protocol (LDAP) for Single Sign-On (SSO). This allows users to log into Discovery Education with familiar credentials at a custom URL. User management (creating and updating users) in Discovery Education is achieved via CSV files that are posted nightly to Discovery Education’s SFTP server, which is a process that can be automated. Class and Class Roster data can also be imported via the same process.
Requirements
(All requirements must be confirmed to proceed)
- All schools, teachers, and students that subscribe to Discovery Education services must use SSO.
- Complete the SSO request form.
- Establish a connection with the Active Directory server.
- Ability to generate and post .csv files with required fields to Discovery Education’s SFTP server. See Imports for Single Sign-On for details.
Steps to Implement
- Determine LDAP to be your technology of choice.
- Complete the SSO request form.
- Establish a connection with the Active Directory server.
- Build a process to generate and post .csv files via SFTP. See Imports for Single Sign-On for details.
- Prepare existing Discovery Education user accounts for conversion.
- Determine launch date and communicate it to Discovery Education staff.
- Communicate new login method (URL) and launch date to teachers and students.
- Launch - Post .csv files the evening before the launch date to process overnight.
User Experience
Once SSO is launched, users will log into Discovery Education by navigating to https://<district>.discoveryeducation.com The <district> sub-domain may be chosen by the district.
Once SSO is launched, users will no longer be able to log into https://www.discoveryeducation.com. Any previously saved hyperlinks that are not configured for SSO will prompt users to log in directly at www.discoveryeducation.com will no longer work. We recommend implementing two options in this case:
1. Update existing hyperlinks with the SSO subdomain:
https://www.discoveryeducation.com should be updated to https://<district>.discoveryeducation.com
2. Advise users to log in via SSO before using saved hyperlinks.
How It Works
Users are authenticated into Discovery Education via LDAP, provided that usernames in Discovery Education are in the required SSO username format. The Discovery Education SSO username format is: <sAMAccountName>@<district>.discoveryeducation.com.
Note: This username is never known by the end user.
Establish a Connection
Port 636 (LDAPS) must be opened to Discovery Education’s servers:
- 198.147.10.73
- 199.199.210.34
- 204.246.114.162
- 204.246.120.240
- 18.216.174.161
- 18.224.47.159
- 3.14.61.70
- 3.22.200.70
- 3.23.0.208
- 3.20.77.209
- 15.222.117.98 (Canada only)
- 52.60.88.78 (Canada only)
- 15.222.86.157 (Canada only)
- 15.222.40.199 (Canada only)
Discovery Education must be provided with the following:
- AD server URL or IP
- Base DN
- Username and password
- Desired sub-domain for the login URL: <district>.discoveryeducation.com
- Security certificate. This can be a self-signed certificate. Certificate must be x509 in Distinguished Encoding Rules (DER) format. Please zip certificates when emailing them. We recommend using the Root certificate for a longer active date range.
Discovery will test the connection using a Java-based LDAP browser (example: JXplorer). If successful, the connection will be migrated to Discovery Education's production environment.
Frequently Asked Questions
Where do users go to log in with their LDAP accounts? For LDAP SSO to work, users must log in via <district>.discoveryeducation.com Usernames in Discovery Education must also be configured properly.
What is the cost for LDAP SSO? Is there an agreement involved? LDAP SSO is free and no agreement is required. However, a DE SSO request form must be completed. Complete the request form here.
When can we launch LDAP SSO? Variable timeline, typically two weeks. Once the paperwork has been signed and returned, the connection to the Active Directory server has been established, and the .csv import files have been generated, a launch date can be determined. Communicating the new log in URL is critical to a successful launch. We recommend launching on a Friday, at least two weeks after the agreement is returned and communication to users has begun.
What happens to existing Discovery Education user accounts? Will they keep their saved content and work? Teacher accounts are mapped across systems on email or Teacher ID and CONVERTED to LDAP accounts (username updated). If email addresses or Teacher IDs are not stored in Discovery Education, additional strategies are recommended for preparing teacher accounts for mapping and conversion:
- Ask teachers to log into Discovery Education and ensure that the email address in the profile matches their district email address. Failure to do so may result in a new user account being created.
- Upload a teacher CSV via the Bulk Import tool to update the existing email addresses and Teacher IDs. Teacher accounts can be exported from Discovery Education by navigating to My Admin > Bulk Import > Update Rosters > Teachers. Update email addresses as needed, save as .csv, and upload via the Bulk Import utility.
- If only the domain differs between the email address and the email address in Discovery Education, perform a Find and Replace in Excel.
- If the entire email address differs, a VLOOKUP in Excel between old email address and email address may be required.
Student accounts are mapped to their LDAP accounts and CONVERTED based on matching Student IDs between the two systems. Feel free to contact Discovery Education to discuss a launch plan for your district.