What information is available via the SAML response mapping in a successful SSO flow?

[Derek Povah]

I am writing a parent facing web application that will need to pull in information about the students associated with a parent portal account. I'm looking into the possibility of using Aeries as a SAML identity provider to avoid asking parents to create and remember yet another set of credentials. Can I get the PermID/SchoolCode of a parent's students via the SAML response mapping or do I have to do some kind of nightly sync to pull in a dump of all the PermIDs associated with each of the parent emails? I'm hoping to avoid the overhead of a nightly sync and I'm really only looking to pull in the student data for the parents that will be using this application.

[JD McKeel]

Hi Derek,

The SAML response from Aeries contains several attributes.  For the NameID, which is the principal part of the assertion that identifies the user, we use the email address from UGN or PWA (depending on the type of account).

We also include attributes for given name, surname, and user type (Teacher, Parent, Student, or User).

For staff, we include an attribute for staff ID.

For parents and students, we include an attribute for students, which is a comma-delimited list of student IDs that are associated with the account.  This one seems like it would address your needs.

The attributes have both URI names and friendly names.  I'd suggest that you take a look at some SAML responses from Aeries to see how everything's formatted, then figure out how best to extract the information you need with whatever SAML library you're using.

JD

[Derek Povah]

As far as I can tell, this doesn't remove the need for a periodic sync because the only way to look up a student is via /api/v3/schools/{SchoolCode}/students/{StudentID}. If I only get a list of student IDs in the SAML response, I still need to import the student IDs and their school code. Ideally, I want to be able to hit something like /api/v3/student/{StudentID} to get the student's data. I understand that there are concerns with timeouts if you support returning all of the students via something like /api/v3/students, but returning a single record on a /student endpoint wouldn't cause those same timeout issues.

[Camden Iliff]

The API supports getting just a single record (https://support.aeries.com/support/solutions/articles/14000077926-aeries-api-full-documentation#aeries-api-h16)

 

ALTHOUGH – It is important to note that the Aeries API was designed to support 3^rd party systems who "mine" the data on a regular basis.  It is not designed as a transactional system with security limitations that are sensitive to the currently logged in user (as with SAML).  So in your case where you are trying to build a system for parents, the Aeries API should not be used to pull data on the fly to display to them, you should collect all information about all students on a nightly basis and use that data to drive the content of your system.  I know that's a large undertaking and would require the explicit permission of the district you are working with, but that's how the Aeries API was designed and how most systems that use it operate.  They are not "extending Aeries" – they have their own systems that just need some of the Aeries data.

 

Camden Iliff

Vice President, Product Development Aeries® Student Information System

 

770 The City Drive South, Suite 6500 Orange, CA 92868 Office: (888) 487-7555 www.aeries.com c...@aeries.com

 

   

--
You received this message because you are subscribed to the Google Groups "Interfacing With Aeries" group.
To unsubscribe from this group and stop receiving emails from it, send an email to interfacing-with-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/interfacing-with-aeries/cd5c4de2-ff99-4bc6-81f8-e1773a1f15d5%40googlegroups.com.

[Derek Povah]

It looks to me like the API only supports getting a single student record if you already have their school code. My issue with that is schools change while Student IDs generally do not.

We are developing this application in-house, so it's not a question of getting permission to do a periodic sync. We just want to avoid it because the most current data is already in Aeries. We want Aeries to be the authoritative source for all of our student data, but that is much harder if we are being forced to rely on periodic syncs. The only missing link in our desired workflow is the ability to look up a single student (and related student data such as contacts) with only their Student ID.

To unsubscribe from this group and stop receiving emails from it, send an email to interfacing-with-aeries+unsub...@googlegroups.com.

[Camden Iliff]

You would need to use the Enrollment endpoint to get the specific school or schools where a student record is located.  Student Demographic data in Aeries is school-specific.  That's why the API requires that information.

To unsubscribe from this group and stop receiving emails from it, send an email to interfacing-with-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/interfacing-with-aeries/cd5c4de2-ff99-4bc6-81f8-e1773a1f15d5%40googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "Interfacing With Aeries" group.

To unsubscribe from this group and stop receiving emails from it, send an email to interfacing-with-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/interfacing-with-aeries/c0d75322-8eb5-4b0f-807d-cac0dcea0034%40googlegroups.com.