School Loop offers Directory Service integration to districts using any LDAP (Lightweight Directory Access Protocol) versions. This article explains how this integration works and shares related articles for managing its configuration.
School Loop uses LDAP to create a secure authentication process with your directory services (for instance, Active Directory) through a secure web service with users logging in with the username and password assigned by the district. All policies and practices relating to usernames and passwords are managed through the district's directory services.
Refer to the following features and the activation process to learn more about how this integration is set up and works:
Intermediary User Web Service
A secure User Web Service installed on a district server acts as an intermediary between School Loop and the district's Directory Services server. School Loop runs all its queries through the web service for username and password authentication, and the web service responds with "true" or "false" as to whether those login credentials are correct.
Activation of Users
Prior to the authentication of users, Directory Service users must be "activated" in the School Loop system, via the Activate Users interface. Teacher, Student, and Staff users are activated separately, and each group of users has its own activation page.
The activation page for teachers queries the web service for all Directory Service users whose 'department code' matches the school code. Each matched user's employee ID is then compared to the teacher IDs from the latest data import from your Student Information System (data importing from the SIS is a separate process known as Sloopy).
Users whose employee ID attributes match a known teacher ID are then displayed for activation. Student users are matched similarly using the student ID attribute.
No ID number is imported for any other staff unless the users are matched by username. If the username is already activated in School Loop in a staff role, that user's account is synchronized with your Directory Service. Once synchronized, the user must use their Directory Service password to log in (the local School Loop password will no longer work).
If the username is not active or does not exist, the user is presented with a drop-down list of roles; selecting a role, and clicking submit activates the user account. If the username already exists in a non-staff role (for example a parent user), a warning message is displayed, and no action is taken.
Each time a user logs in to School Loop using their Active Directory credentials, their first name, last name, email address and login name listed in their School Loop account automatically sync with their AD account.
For student accounts, there is an option to disable syncing of email addresses, which allows students to use an email address of their choosing with their School Loop account.
Follow these steps to integrate your Directory Services with School Loop:
- Ensure that all the considerations and information needed by School Loop are taken into account and addressed. It is essential to follow these considerations to make the integration as smooth as possible.
- Install the web service on an externally accessible web server to act as an intermediary between the Directory Services and School Loop.
- Configure the LdapApp.properties file for the web service.
- Implement our recommendations to ensure the security and stability of traffic between School Loop and the web service.
- Customize the password recovery message for your users. It is vital to ensure users have all the information to successfully update their password for the integrated service without reaching out for help.
- Once all steps are completed, Contact School Loop Support to complete the configurations.
Troubleshooting Common Issues
Here are two of the most common issues that admins may run into after completing the integration process:
- Web Service Error: 'Could not find the main class com.ldap.service.ldapapp'
- Error When Creating the Keystore: 'Command not found'