Introduction
Houghton Mifflin Harcourt (HMH) currently utilizes a central authentication provider for their multiple products. This means that a single SAML configuration is used across multiple products. To achieve this inside of HelloID we need to create a hidden instance of the SAML configuration and use shortcuts for each of the specific products.
This guide will walk you through creating the central SAML integration and setting up shortcuts for specific products.
Generate SAML Metadata
We recommend creating a separate certificate in HelloID for each SAML integration. Learn more about creating and managing certificates here.
- With a certificate ready for HMH, create a new instance of the HMH SAML application template.
- On the left of the main screen, select the Single Sign On tab. Find the X509 Certificate field and select the newly created certificate (or the appropriate existing certificate).
- After selecting the certificate, save the template by clicking the Save button.
- Find the newly created HMH SAML application in the application list and click the Edit link.
- In order for HMH to properly configure their end, they will need a copy of the application metadata. Use the Download metadata button at the top of the screen to save a copy of the metadata XML and provide that to HMH.
Integration Configuration
After receiving the HelloID metadata, HMH will provide a connection name/client ID value that we will use in the last configuration steps for the integration.
- Bring up the edit screen for the HMH SAML application that you previously created.
- On the General tab, ensure that Enabled and Hide Application settings are turned on. Replace the {CLIENT ID} placeholder with the connection name/client ID provided to you by HMH. Typically this is in the form of "AB-MySD123-000001".
- On the Configuration tab, adjust the Issuer, Endpoint URL, and Extra Audience fields by replacing the {CLIENT ID} placeholder with the connection name/client ID provided to you by HMH.
- On the Groups tab, assign this application to the appropriate groups of users. Since this integration is used by all HMH products, ensure that this is assigned to any users that will interact with any of the used HMH products. In practice, assigning this to all users will make this much easier to manage.
- Save the application and open the edit page for it again to configure the mapping set used for our SAML attributes.
- From the Configuration tab select the Configure Mapping Set button and click to proceed.
- There are two actions we can adjust on the mapping set: Change attributes and Change mappings. The Change attributes interface allows you to include additional values to be made available for the mapping. This can be left default for now.
- Click on Change mappings. Here you can include additional claims (attributes) in the SAML request. Currently the only requirement for HMH is the NameID attribute which is setup by default to use the contact email address of the user and can be modified as needed if this is not the proper attribute for your instance.
- Click the Save button for the mapping set once you're done.
Set Up Individual Products
Below you can find the SP-initiated URLs used in conjunction with the central SAML authentication application. These URLs are best utilized with the Generic - Shortcut application template, as shown in the screenshot below. The same way we did above, simply replace the {CLIENT ID} placeholder with the appropriate value for your instance.
- Ed: https://www.hmhco.com/api/external-sso/access?sp=ed&connection={CLIENT ID}
- HRW: https://my.hrw.com/sp/access?sp=hrw&connection={CLIENT ID}
- SAM: https://idp-awsprod1.education.scholastic.com/idp/oic/login?connection={CLIENT ID}
- ThinkCentral: https://www-k6.thinkcentral.com/sp/access?sp=tc&connection={CLIENT ID}
Testing Authentication
As an administrator in HelloID, you're able to manually define user data to use as a method of testing the application without logging in as the actual end user. Please note that during this testing it is important that any product shortcut applications used for this testing are only assigned to the user account that will be conducting the tests, so as to prevent access by unauthorized users.
- Open the mapping set for the HMH SAML application either from the Configuration tab on the edit screen for the application or by navigating to Directory > Mapping sets on the HelloID Administrator Dashboard and editing the Mapping for HMH (SAML) item.
- Click on the Change mappings link for the SAML User mapping configuration.
- Locate the NameID claim.
- Change the current left-side value for this attribute to be the appropriate email address for the user you are testing with.
- Close and save out of the mapping set.
With the HMH SAML application and the appropriate product shortcut applications assigned to your user via the Groups tab you can initiate the SAML transaction by launching the product shortcut from the HelloID dashboard. HelloID will then attempt to authenticate as the user associated to the email address you provided for the NameID claim.