Integrating LanSchool Air with Azure Active Directory
To request this feature be enabled for your LanSchool Air organization, please contact the Customer Success team.
Overview
This article explains how to integrate LanSchool Air with Azure Active Directory for Single Sign-On (SSO) and User Provisioning.
With this integration, instructor accounts can be automatically created and activated in LanSchool Air when created in the organization's Azure Active Directory environment. Only Active Directory users associated to the provisioning application in Azure will be provisioned to LanSchool Air. Email invitations and activations are not required when users are provisioned from Azure Active Directory.
Once instructors are provisioned to LanSchool Air from Azure Active Directory, they will be automatically enabled for Single Sign-On using their Microsoft account. After entering their email address on the LanSchool Air sign-in page, they will be automatically forwarded to Microsoft for authentication.
Prerequisites
- Single LSA Org for all users (customers will multiple orgs are not supported at this time)
- Site Admin account in LanSchool Air
- Admin access to Azure Active Directory
LanSchool Air's Azure Active Directory integration only supports integrating with one LanSchool Air organization per Azure AD domain. If your organization has multiple LanSchool Air organizations, only one of them may be integrated with Azure AD at this time.
Creating an Enterprise Application in Azure AD
- Log into LanSchool Air as Site Admin.
- Click on the menu at the top left then click Settings.
- Click on SSO Configuration.
- Click Generate New. The system generates a random secrete token. Click Copy.
- In a separate browser window or tab, log into Microsoft's Azure Portal at https://portal.azure.com/
- Click on Azure Active Directory in the left menu. A page show your organization's name displays.
- Click on Enterprise Applications.
- Click on +New Application.
- Search for LanSchool Air in the Search Application box.
- If needed, rename the application and select Create.
- Click on Provisioning in the left navigation menu.
- On the Provisioning page:
- Select Get Started.
- Select Automatic from the Provisioning Mode drop-down list.
- Paste or enter one of the following URLs into the Tenant URL field:
- For Americas: https://api-lsa.lenovosoftware.com/0/lsa/common/scim
- For EMEA: https://api-lsa-emea.lenovosoftware.com/0/lsa/common/scim
- For APAC: https://api-lsa-apac.lenovosoftware.com/0/lsa/common/scim
- Copy the secret token from LanSchool Air (see step 4) and paste it into the Secret Token field.
- Click Test Connection.
- Click Save and close the Provisioning Page.
Configuring SAML Authentication
- While still in Azure Active Directory, click on Single sign-on in the left menu.
- Click the SAML tile. The LanSchool Air gallery app has default identifier and reply URLs that are for the Americas environment. If your organization is not in Americas you will need to edit the identifier and reply URLs to correspond with the environment your LanSchool Air organization is in.
- If your LanSchool Air organization is in Americas select Yes, to save the single sign-on setting. Continue to Step 7.
- If your LanSchool Air organization is not in Americas select No, I'll save later and continue to the next step.
The next step is only if your organization is NOT in Americas. To identify what environment your organization is in, check the URL for LanSchool Air. If your URL begins with lanschoolair-emea or lanschoolair-apac, then your organization is NOT in Americas. - From the Basic SAML Configuration tile, click the Edit icon.
- Configure the settings as follows:
- Delete the URL that is already in the Identifier (Entity ID).
- Paste one of the following URLs into the Identifier (Entity ID) field and mark as Default:
- For Americas: https://api-lsa.lenovosoftware.com/0/lsa/common/saml/sp
- For EMEA: https://api-lsa-emea.lenovosoftware.com/0/lsa/common/saml/sp
- For APAC: https://api-lsa-apac.lenovosoftware.com/0/lsa/common/saml/sp
- Delete the URL that is already in the Reply URL (Assertion Consumer Service URL).
- Paste one of the following URLs into the Reply URL (Assertion Consumer Service URL) field:
- For Americas: https://api-lsa.lenovosoftware.com/0/lsa/common/saml/acs
- For EMEA: https://api-lsa-emea.lenovosoftware.com/0/lsa/common/saml/acs
- For APAC: https://api-lsa-apac.lenovosoftware.com/0/lsa/common/saml/acs
- Click Save, and then click X in the top right after saving. If a message that asks if you want to test displays, click No, I’ll test later.
- From the SAML Signing Certificate section of the Set Up Single Sign-on with SAML page, copy the URL from the App Federation Metadata URL field.
- Return to the SSO Configuration page in LanSchool Air.
- Paste the URL into the App Federation Metadata URL field and click Update.
Disabling Confirmation Emails
When instructor accounts are created a confirmation email will be sent to instructors with a link directing them to the LanSchool Air login page. If you want instructors to use a SSO portal login page and not be directed to the LanSchool Air login page in the confirmation email, you can choose to not send confirmation emails.
Enabling User Account Provisioning
- Return to Azure Active Directory, and then click Users and Groups from the left menu.
- Click +Add User/group.
- Click None Selected under Users and groups.
- Search for a new user(s) and click Select.
- Click Assign.
- Click Provisioning in the left pane.
- Select Start Provisioning.
Removing Azure AD Integration
- Log into LanSchool Air as Site Admin.
- Select the menu at the top left and go to Settings.
- Select SSO Configuration.
- Select Remove Connection at the bottom.
- Type 'Confirm' and select Remove Connection.
- All user accounts that were provisioned in LanSchool Air from Azure AD will be deleted.
Azure FAQ
How do users sign into LanSchool Air?
Assigned users will log into LanSchool Air with Single Sign-On using their Azure AD credentials. To confirm a user was assigned, in LanSchool Air go to Settings>People. The user will appear with Azure AD listed under Source.
Users with "LanSchool Air" listed as the source will continue to login with their LanSchool Air password and not Azure AD SSO.
How often does Azure provision users?
Users will be added/removed every 40 minutes (by default). To immediately provision users, select Stop Provisioning and then select Start Provisioning.
What happens if a user is deleted in Azure?
If a user is deleted in Azure, the user will appear as "disabled" in LanSchool Air for 30 days and then deleted.
What happens if a user is unassigned from the app in Azure?
If a user is unassigned from the app in Azure, the user will be disabled in LanSchool Air.
What if there are local user accounts in LanSchool Air?
If you already have local users in LanSchool Air, with Source listed as "LanSchool Air" under Settings>People, you will first have to delete the local accounts before assigning the user to the app in Azure.
Deleting the local account(s) will remove all manually created classes and the user will have to recreate them once signed in using their Azure AD credentials.
It is recommended to keep one or two local Site Admin accounts in your LanSchool Air organization to prevent being locked out of LanSchool Air in case something happens to Azure AD.
Related Articles
LanSchool Air Setup Guide
Who Should Use this Guide? LanSchool Air site administrators responsible for installing LanSchool Air on student devices, configuring admin settings, and inviting instructors. What Does This Guide Cover? This guide provides instructions for: ...Managing Instructors and Site Admin Accounts
Overview When your LanSchool Air organization is first created, it contains a single user account. This account is assigned the Site Admin role. One of the primary tasks of the Site Admin is to invite other users to use LanSchool Air. These users can ...LanSchool Air Release Notes
LanSchool Air Release Notes Updates to LanSchool Air are applied automatically and rolled out globally over a period of 1 to 2 weeks, so the latest updates noted in the release notes might not be available in your region for a few more days. ...LanSchool Air User Guide
Who Should Use this Guide? Teachers who have received an invitation from a site admin to create a LanSchool Air account Site admins who are setting up an account for a teacher What Does this Guide Cover? This guide provides instructions for: ...Configuring Active Hours
Overview Active hours establish the times and days during which a teacher can start and run a class. Although teachers and site admins can login outside of the designated active hours, they cannot start a class or interact with students. Site Admins ...
Popular Articles
Viewing Student Client Status
Overview If a student device is appearing as offline, check the status of LanSchool Air client installed on the student's device to make sure it's provisioned and connected. To see the current status of the student client, open the LanSchool Air chat ...Using Web Limiting
Overview To block troublesome or distracting websites or limit students to a select few websites pertinent to the class, use the Web Limiting feature in LanSchool Air. There is currently no limit on the number of URLs that can be added to the block ...Mass Deploying LanSchool Air for Chromebook Student
This guide walks site administrators through the process of deploying the LanSchool Air app to students using Chromebooks and getting LanSchool Air ready for instructors to use. For information on installing the LanSchool Air app to Windows or Mac ...Controlling Student Browser Tabs
Overview Controlling browser tabs is currently supported for students using Chromebooks. Students on Windows or macOS devices will only display the most recently viewed website. In List View and Student Details, you have added controls over tabs on a ...Using Blank Screen
Overview LanSchool Air's customizable Blank Screen feature enables you to push a Blank Screen to your students' computers. When you enable Blank Screen, students are not able to view or listen to anything on their device until the Blank Screen is ...
Recent Articles
Deploying LanSchool Air Using Jamf Pro
Overview The LanSchool Air for MacOS agent supports a few different deployment methods. See Mass Deploying LanSchool Air for Mac Student for more detailed instructions. Please note that our support team can only provide limited assistance with ...Disabling Fast User Switching
Overview LanSchool Air does not support Windows Fast User Switching feature. The student client will not function properly when the computer is switched to a second user account. It is recommended to disable Fast User Switching in order for the ...Configuring Idle Timeout
Overview By default, instructors will be automatically logged out of LanSchool Air after they have been idle for 2 hours. Site Admin users can configure the idle timeout settings to increase the amount of time instructors can remain idle before being ...Downloading User and Device Lists
Overview Site Admins can download CSV files containing a list of registered users and devices installed with LanSchool Air. This allows Site Admins the ability to review and manage which devices are consuming licenses and which users are using ...Managing LanSchool Air Licenses
Overview The LanSchool Air client is installed per device for Windows and Mac OS devices. As devices are repurposed or replaced, it is important to fully recover (free up) the LanSchool Air license. Recovering the LanSchool Air license takes 2 steps: ...