You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close
You are viewing the article in preview mode. It is not live at the moment.
Home > Support Center > SIS Integration > Single Sign On (SSO) with SIRAS
Single Sign On (SSO) with SIRAS
print icon
Sep 30, 2025

What is Single Sign-On?

Single Sign-On (SSO) is a way for staff to log in to SIRAS using the same account they already use for their district’s systems (such as Google Workspace or Microsoft 365). Instead of creating and managing a separate SIRAS password, users sign in once through their district’s login system, and that login is securely recognized by SIRAS.

Benefits of SSO for Districts

1. Improved Security

  • Districts control the login process through their own system (the “Identity Provider”).
  • If the district requires Multi-Factor Authentication (MFA), that same protection automatically applies when accessing SIRAS.
  • This means districts maintain consistent security policies without relying on separate SIRAS passwords.

2. Greater Convenience

  • Staff only need to log in once with their district account.
  • After signing in, they can access SIRAS without remembering or managing an additional username and password.
  • This reduces login frustration and helps prevent password-related issues.

Key Point

With SSO, districts get the best of both worlds:

  • Security is enforced through their own Identity Provider with MFA.
  • Convenience comes from using the same login for multiple systems, including SIRAS.

This keeps access both safe and simple for staff.

 

SSO Configuration Guide

In your Identity Provider (IdP)’s admin console, create a custom SAML application for SIRAS.
 

  • Google Workspace: Apps → Web and mobile apps → Add custom SAML app
  • Microsoft Entra (Azure AD): Enterprise applications → New application → Create your own application
  • OneLogin: Applications → Add App → SAML Custom Connector (or equivalent)
     

Tip: Start with your Training SIRAS URL for testing. After validation, update the same app to point to Production.

2. Required SIRAS URLs

Substitute the appropriate {server URL} for your SELPA/district.

EntityID

https://{server URL}/sso/metadata.jsf

Login URL / ACS URL / Recipient

https://{server URL}/sso/acs.jsf

Server URLs by Region

Region Training Production
VCOE SIRAS https://sirastraining.vcoe.org https://siras.vcoe.org
Kern SIRAS https://training.siras-kern.org https://siras-kern.org
Main (all other SELPAs) SIRAS https://training.sirassystems.org https://sirassystems.org

Leave other SAML parameters (e.g., Sign-On URL, Logout URL) blank or at their defaults unless explicitly required by your IdP.

3. Provide Access for Users

SIRAS does not display a "Login with SSO" button on its homepage. Publish the SIRAS SSO application to your IdP’s user portal or dashboard (e.g., Google App Launcher, Microsoft “My Apps”). Users should launch SIRAS from that published app.

 

4. Provide IdP Metadata to SIRAS

Share the following values from your IdP with the SIRAS team (or configure in SIRAS if you have access):

  • Entity ID URL
    • Google example: https://accounts.google.com/o/saml2?idpid=abc1234
    • Microsoft example: https://sts.windows.net/abc1234/
  • Single Sign-On (SSO) Service URL
    • Google example: https://accounts.google.com/o/saml2/idp?idpid=abc1234
    • Microsoft example: https://login.microsoftonline.com/abc1234/saml2
  • X.509 Certificate (Base64-encoded; usually a .pem file)

5. (Optional) Restrict Password Logins

Districts may choose to disable password-based logins in SIRAS after SSO is enabled. This requires all users to authenticate via SSO only.

6. Account and Email Requirements

  • Each SIRAS user’s email must match their SSO account email.
  • All user email addresses must belong to the domain configured for your district’s SSO (for example, @yourdistrict.edu).

7. Microsoft Entra / 365 Specific Notes

  • Use Properties → User Access URL for the login link (typically begins with https://launcher.myapps.microsoft.com/)
  • Provide SIRAS with the Certificate (Base64).
  • Leave Sign-On URL blank (configure only Entity ID and Reply URL as applicable).
  • Ensure an attribute/claim mapping for email exists (for example, emailaddressuser.mail).
  • Assign users (or groups) to the SIRAS application as required by your tenant policies.

8. Additional Notes

  • When SSO is used, SIRAS password reset requirements are not evaluated.
  • Users may still be blocked by SIRAS policy if they have not logged in for an extended period.
  • SSO login updates the last login date on the user account in SIRAS.
  • Logging out of the IdP does not automatically log the user out of SIRAS. Normal SIRAS logout behavior and session timeouts still apply.

For more assistance, contact your SIRAS support representative.

close button
scroll to top icon