Skip to content

SAML SSO configuration

SAML SSO is available for users of us.prairielearn.com. Reach out to support@prairielearn.com to get it set up.

Required attributes

PrairieLearn requires that SAML identity providers (IdPs) make three attributes available.

Name

The full name of the user, e.g. "Joe Smith". This attribute is often named displayName or urn:oid:2.16.840.1.113730.3.1.241.

Alternatively, if your Identity Provider cannot provide a single full name attribute, you can configure separate given name and family name attributes. When both are configured and both values are present in a SAML response, PrairieLearn will combine them as "Given Family" (e.g. "Joe Smith") and use that value. If either value is missing, PrairieLearn falls back to the full-name attribute. The given name attribute is often named givenName or urn:oid:2.5.4.42, and the family name attribute is often named sn or urn:oid:2.5.4.4.

UID

An identifier with an institution-specific suffix, e.g. jsmith@example.com. This attribute is often named eppn, eduPersonPrincipalName, or urn:oid:1.3.6.1.4.1.5923.1.1.1.6.

This attribute is allowed to change. For instance, at many institutions, someone who changes their name will receive an updated identifier. The next time they log in to PrairieLearn, their UID will be updated to reflect the latest value from the IdP.

Note that this will often look like an email, but does not need to be routable as such.

UIN

An immutable identifier for a given user. A student/staff ID number is typically a good fit, although this varies from institution to institution.

This attribute's value must never change for a given individual, even if they change their name or email. To be more precise, this value must be persistent (stable across multiple login sessions) and non-reassignable (must never be reassigned from one individual to another).

This value will be visible to instructors and included in gradebook downloads, so it should be a value with a useful meaning to instructors and across other campus services.

For institutions using PrairieTest, this value can be used when deploying ID-card-based check-in for exams, so it's beneficial if this value is derivable (either directly or indirectly) from swiping or tapping an individual's institutional ID card.

Optional attributes

Email

The email address of the user, e.g. student@example.com. This attribute is often named mail or urn:oid:0.9.2342.19200300.100.1.3.

While this attribute is not strictly required, it is highly recommended. In the future, it will be used to send notifications to students about upcoming exams and other important information.