Integrating LanSchool Air with Microsoft Entra ID
Overview
This article explains how to integrate LanSchool Air with Microsoft Entra ID (formerly Azure Active Directory) for Single Sign-On (SSO) and User Provisioning.
With this integration, instructor accounts can be automatically created and activated in LanSchool Air when created in the organization's Entra ID environment. Only Entra ID users associated to the provisioning application in Entra ID will be provisioned to LanSchool Air. Email invitations and activations are not required when users are provisioned from Entra ID.
Once instructors are provisioned to LanSchool Air from Entra ID, they will be automatically enabled for Single Sign-On using their Microsoft account. After entering their email address on the LanSchool Air sign-in page, they will be automatically forwarded to Microsoft for authentication.
Prerequisites
- Single LSA Org for all users (customers will multiple orgs are not supported at this time)
- Site Admin account in LanSchool Air
- Admin access to Microsoft Entra ID
LanSchool Air's Entra ID integration only supports integrating with one LanSchool Air organization per Entra ID domain. If your organization has multiple LanSchool Air organizations, only one of them may be integrated with Entra ID at this time.
Creating an Enterprise Application in Microsoft Entra ID
- Log into LanSchool Air as Site Admin.
- Click on the menu at the top left then click LanSchool Air Settings.
- Click on SSO Configuration.
- Click Generate New. The system generates a random secrete token. Click Copy.
- In a separate browser window or tab, log into Microsoft's Entra ID Portal at https://portal.azure.com/
- Click on Entra ID. A page show your organization's name displays.
- Click on Enterprise Applications.
- Click on +New Application.
- Search for LanSchool Air in the Search Application box.
- If needed, rename the application and select Create.
- Click on Provisioning in the left navigation menu.
- On the Provisioning page:
- Select Get Started.
- Select Automatic from the Provisioning Mode drop-down list.
- Paste or enter one of the following URLs into the Tenant URL field:
- For Americas: https://api-lsa.lenovosoftware.com/0/lsa/common/scim
- For EMEA: https://api-lsa-emea.lenovosoftware.com/0/lsa/common/scim
- For APAC: https://api-lsa-apac.lenovosoftware.com/0/lsa/common/scim
- Copy the secret token from LanSchool Air (see step 4) and paste it into the Secret Token field.
- Click Test Connection.
- Click Save and close the Provisioning Page.
Configuring SAML Authentication
- While still in Entra ID, click on Single sign-on in the left menu.
- Click the SAML tile. The LanSchool Air gallery app has default identifier and reply URLs that are for the Americas environment. If your organization is not in Americas you will need to edit the identifier and reply URLs to correspond with the environment your LanSchool Air organization is in.
- If your LanSchool Air organization is in Americas select Yes, to save the single sign-on setting. Continue to Step 7.
- If your LanSchool Air organization is not in Americas select No, I'll save later and continue to the next step.
The next step is only if your organization is NOT in Americas. To identify what environment your organization is in, check the URL for LanSchool Air. If your URL begins with lanschoolair-emea or lanschoolair-apac, then your organization is NOT in Americas. - From the Basic SAML Configuration tile, click the Edit icon.
- Configure the settings as follows:
- Delete the URL that is already in the Identifier (Entity ID).
- Paste one of the following URLs into the Identifier (Entity ID) field and mark as Default:
- For Americas: https://api-lsa.lenovosoftware.com/0/lsa/common/saml/sp
- For EMEA: https://api-lsa-emea.lenovosoftware.com/0/lsa/common/saml/sp
- For APAC: https://api-lsa-apac.lenovosoftware.com/0/lsa/common/saml/sp
- Delete the URL that is already in the Reply URL (Assertion Consumer Service URL).
- Paste one of the following URLs into the Reply URL (Assertion Consumer Service URL) field:
- For Americas: https://api-lsa.lenovosoftware.com/0/lsa/common/saml/acs
- For EMEA: https://api-lsa-emea.lenovosoftware.com/0/lsa/common/saml/acs
- For APAC: https://api-lsa-apac.lenovosoftware.com/0/lsa/common/saml/acs
- Click Save, and then click X in the top right after saving. If a message that asks if you want to test displays, click No, I’ll test later.
- From the SAML Signing Certificate section of the Set Up Single Sign-on with SAML page, copy the URL from the App Federation Metadata URL field.
- Return to the SSO Configuration page in LanSchool Air.
- Paste the URL into the App Federation Metadata URL field and click Update.
Disabling Confirmation Emails
When instructor accounts are created a confirmation email will be sent to instructors with a link directing them to the LanSchool Air login page. If you want instructors to use a SSO portal login page and not be directed to the LanSchool Air login page in the confirmation email, you can choose to not send confirmation emails.
Enabling User Account Provisioning
- Return to Entra ID, and then click Users and Groups from the left menu.
- Click +Add User/group.
- Click None Selected under Users and groups.
- Search for a new user(s) and click Select.
- Click Assign.
- Click Provisioning in the left pane.
- Select Start Provisioning.
Updating Expired Certificate
- Log
into Microsoft's Entra ID Portal at https://portal.azure.com/
- Click on Entra ID. A page show your organization's name displays.
- Under Manage,
click on Enterprise Applications.
- Locate
the LanSchool Air application with the expired certificate.
- Under Manage,
click on Single sign-on.
- Locate
SAML Certificates, click Edit.
- Click +New
Certificate.
- Click Save.
- Click
on the 3 dot menu next to the new certificate and click Make
certificate active.
- Click on the 3 dot menu next to the old
certificate and click Delete Certificate.
- Next, log into LanSchool Air.
- Go to LanSchool Air Settings>>SSO Configuration.
- Click Update next to App Federation Metadata URL.
Removing Entra ID Integration
- Log into LanSchool Air as Site Admin.
- Select the menu at the top left and go to LanSchool Air Settings.
- Select SSO Configuration.
- Select Remove Connection at the bottom.
- Type 'Confirm' and select Remove Connection.
- All user accounts that were provisioned in LanSchool Air from Entra ID will be deleted.
Entra ID FAQ
How do users sign into LanSchool Air?
Assigned users will log into LanSchool Air with Single Sign-On using their Entra ID credentials. To confirm a user was assigned, in LanSchool Air go to Settings>People. The user will appear with Entra ID listed under Source.
Users with "LanSchool Air" listed as the source will continue to login with their LanSchool Air password and not Entra ID SSO.
How often does Entra IDprovision users?
Users will be added/removed every 40 minutes (by default). To immediately provision users, select Stop Provisioning and then select Start Provisioning.
What happens if a user is deleted in Entra ID?
If a user is deleted in Entra ID, the user will appear as "disabled" in LanSchool Air for 30 days and then deleted.
What happens if a user is unassigned from the app in Entra ID?
If a user is unassigned from the app in Entra ID, the user will be disabled in LanSchool Air.
What if there are local user accounts in LanSchool Air?
If you already have local users in LanSchool Air, with Source listed as "LanSchool Air" under Settings>People, you will first have to delete the local accounts before assigning the user to the app in Entra ID.
Deleting the local account(s) will remove all manually created classes and the user will have to recreate them once signed in using their Entra ID credentials.
It is recommended to keep one or two local Site Admin accounts in your LanSchool Air organization to prevent being locked out of LanSchool Air in case something happens to Entra ID.
Related Articles
Managing Instructors and Site Admin Accounts
Overview When your LanSchool Air organization is first created, it contains a single user account. This account is assigned the Site Admin role. One of the primary tasks of the Site Admin is to invite other users to use LanSchool Air. These users can ...LanSchool Air Release Notes
LanSchool Air Release Notes Updates to LanSchool Air are applied automatically and rolled out globally over a period of 1 to 2 weeks, so the latest updates noted in the release notes might not be available in your region for a few more days. ...LanSchool Air Setup Guide
Who Should Use this Guide? LanSchool Air site administrators responsible for installing LanSchool Air on student devices, configuring admin settings, and inviting instructors. Looking for setup instructions for LanSchool Classic? Click here for more ...LanSchool Air User Guide
Who Should Use this Guide? Teachers who have received an invitation from a site admin to create a LanSchool Air account. Site admins who are setting up an account for a teacher. What Does this Guide Cover? This guide provides instructions for: ...Preparing LanSchool Air for a New School Year
Overview As you start a new school year or semester, there are a few steps you can take ahead of time to ensure that LanSchool Air is ready to support your Teachers and Students for both in-person classes and remote learning. Any Questions? Contact ...
Popular Articles
Viewing Student Client Status
Overview If a student device is appearing as offline, check the status of LanSchool Air client installed on the student's device to make sure it's provisioned and connected. This will provide direction on where to begin troubleshooting. Viewing ...Using Web Limiting
Overview To block troublesome or distracting websites or limit students to a select few websites pertinent to the class, use the Web Limiting feature in LanSchool Air. There is currently no limit on the number of URLs that can be added to the block ...Mass Deploying LanSchool Air for Chromebook Student
This guide walks site administrators through the process of deploying the LanSchool Air app to students using Chromebooks and getting LanSchool Air ready for instructors to use. For information on installing the LanSchool Air app to Windows or Mac ...Controlling Student Browser Tabs
Overview In List View and Student Details, you have added controls over tabs on a student's screen. You can: View all tabs a student has open Take a screen shot of a student's active tab Close a tab on a student's computer Add a website a student is ...Using Blank Screen
Overview LanSchool Air's customizable Blank Screen feature enables you to push a Blank Screen to your students' computers. When you enable Blank Screen, students are not able to view or listen to anything on their device until the Blank Screen is ...
Recent Articles
Accessing Teacher Usage Reports
Overview Usage Reports preserves a 45 day record of the number of teachers using LanSchool Air, how many class sessions were started, the amount of time spent in class and the average amount of time in class. Usage Reports allows LanSchool Air admins ...Using On-Task Monitoring
On-task monitoring is currently in BETA. If you would like to test On-task monitoring in your organization please contact our Customer Success team. Overview On-task Monitoring uses AI to help teachers keep track of which students are on-task or ...Purchasing or Renewing LanSchool Air
Purchasing Contact If you are looking to purchase LanSchool Air, renew your LanSchool Air license or require a quote, please visit our website at https://lanschool.com/purchasing. You may also contact sales at 833-247-2527 or fill out the Contact ...Merging Synced Class Rosters
Overview Merge classes allows instructors to merge their synced rosters together into one class to align better with their teaching methods. Instructors can merge up to 3 classes for ClassLink, Clever or Google Classroom. Merging Synced Classes As an ...End of Life Lenovo V2 VR Integration with LanSchool Air
As of March 31, 2024 Lenovo V2 VR integration with LanSchool Air has reached End of Life. Please see Lenovo VR Classroom for more information about VR learning solutions.