Single Sign On (SSO) Considerations

HMH supports Google® single sign on (SSO). If you only require Google SSO with our CORE programs (ThinkCentral; Holt McDougal Online; and Ed, the HMH Learning Platform), then you can use HMH Authentication Manager page for self-service setup. See Authentication Manager: Set Up SSO Connection for details.

Note the following prior to import:

      The username entered in the import template must match the SSO username, which is typically the "principal name" or the long username from the SSO provider, making it globally unique.

      Prior to setting up SSO, HMH recommends that you set data permissions for your organization by locking down the ability of administrators and teachers to manually add users. See Set Data Permissions for details.

The following table provides additional conditions, risks, and recommended solutions.

Condition

Risk/Issue

Recommended Action

Your organization chooses not to lock down data permissions.

Administrators and teachers may add users with usernames that do not adhere to SSO requirements.

1.    Designate a select few, fully trained users who are responsible for user management and who understand the SSO username requirements.

2.    Warn your entire staff about the risks of adding users and clearly communicate your district's plan for allowing only designated user-management users to add users.

 

When a new staff user is added in ThinkCentral or Holt McDougal Online (manually), the newly added staff user receives an email providing the platform URL, username, and a link to set the user's password.

The password that is set using the link in this email is not the SSO password. Instead, it is an alternate platform-specific password.

      For Ed users, you must inform your newly added users how they can log in to the platform by, sending them an email personally detailing how to launch from your SSO provider.

      For TC and HMO users, manually turn off the reset password and email notifications settings for all users in your district.

      TC users: See TC-Edit District Configuration Settings and Add Products for details.

      HMO users: See HMO-District Settings  for details.

      Set up a plan to manage and communicate SSO passwords and changes for your district.

Note: Only district administrators can edit email settings, unless the organization is an independent school, in which case, school administrators can edit these settings.

When a user clicks the Reset Password option on the TC or HMO login page, an email is sent to the user prompting the user to reset the password.

The password created using the Reset Password option in TC or HMO is not the SSO password and has no impact on the SSO password. This can be very confusing to the user.

Your district wants to implement single sign on (SSO), but the existing user names in TC or HMO do not match the usernames in your SSO Compliant Solution. (Usernames are not globally unique.)

The user names for all users must match the SSO usernames; this includes case-sensitive alignment.

      Use account linking or purge.
See Account Linking Using SFF or Purge or Retain Data for details.

A student or teacher attends multiple schools in your district.

The SSO for each user account can only work for one location/school (primary location).

      Use account linking.
See Multi-Org Account Linking for SFF for details.

A single user needs to be assigned to multiple roles (administrator and teacher roles). 

The SSO can only work for one role (primary role), so the user can only be associated with one role.

1.    Manually create a second account for the alternate role.

2.    Instruct the user to log in using the traditional platform login page and the alternate account credentials, including the non-SSO password for the user's non-primary role. 

 

TIP for TC and HMO: Because users with teacher accounts are able to access content, it is usually most beneficial to create the teacher role as the primary role. Administrator accounts are used mainly for user management and reporting, and in TC and HMO, administrator accounts do not allow access to content.

Your user accounts include the student ID or teacher ID as part of the user names. This works better than a first name or last name because the LASID never changes.

The LASIDs can have leading zeros in some systems; however, for SSO to work, the values must be in sync, so 012345 is not the same as 12345.

      Before rostering, find out how your SSO provider handles leading zeros and verify that your rostering files match that formula for user names.

Your district uses TC and HMO and also uses the HMH Player® software.

HMH Player is SSO compliant for versions 2.4 and above, but it requires authentication within the application. You cannot access existing authenticated HMH Player sessions by logging in through TC and HMO.

      To access an authenticated HMH Player session, both TC and HMO users must log in through HMH Player. For details, see HMH Player Users.

Your district uses TC and HMO but also uses the ExamView® software.

      ExamView is not SSO compliant. Your district's SSO access is available only to TC and HMO. 

      To use ExamView, users require the alternate password that was used in the file upload process or manual platform user interface process.

      Any content in ExamView that is from 9.0 installers and earlier is restricted to 20-character usernames, which typically do not support traditional SSO user names.

      Instruct your users to upgrade to the 9.1 installer version of ExamView.

      Follow the instructions for ExamView Users to provide alternate passwords.

 

Note: HMH often partners with third-party vendors for our whole-package product offerings, and some of those development solutions are outside of HMH release control. We continue to work aggressively with these partners to deliver fully compatible transitions to help unify your experience.

-

See Also:

FAQs for SSO

Tips for Creating Usernames

 v7.0