The SAML Configuration for Aeries Communications powered by ParentSquare has a few requirements that must be in place for Single Sign On to function.
The API Certificate must be named "ParentSquare"
-- Legacy Aeries Communications Districts will have a certificate ("Aeries Communications", "Loop", etc.) that must be renamed.
Please see the link below for our API Certificate Creation Document;
ParentSquare must be enabled
The Aeries Communications powered by ParentSquare box must be checked on the 3rd Party System Connections form;
***Ensure that you see "Found" on both the SAML and API entries seen below;
--Legacy Aeries Communications districts will need to switch from the SignalKit option to the ParentSquare version.
***Please note that the Communications link in Aeries Web will only be functional for one version of the Communications system. Either ParentSquare or SignalKit, but not both.
On the SAML Configuration Page;
--Check the "Enable Aeries to act as a SAML Identity Provider" checkbox
--Entity ID (Base URL) will already be configured based on the Aeries Web URL
--Metadata URL should be provided to the ParentSquare or Aeries support team (if self hosted)
***SSL Certificate must be selected from the Web Server -- "Signing Certificate Option 2: Upload PFX File" will not work for this process.
--Select "Signing Certificate Option 1: Select from Web Server" --> click "Select Certificate from Server"
----If there are No Certificates seen in the popup (first screenshot below), you will need to grant permission to the Application Pool User on the Web Server(s).
----If you see your Certificate in the popup (screenshot above), please select the Certificate and continue to the "Add SAML Service Provider" step in this document.
Grant Web Permissions (if needed)
Follow the steps below to grant permission to the Application Pool User on the Web Server(s) using the Microsoft Management Console (MMC).
1. Verify the Application Pool User in IIS-> Application Pools - take note of this Identity
----This will generally be "Network Service" or "ApplicationPoolIdentity"
3. Open the MMC - Win+R+MMC or select MMC from the menu
3a. Click File-> Add/Remove Snap-in
3b. In the Add or Remove Snap-ins window, select Certificates in the Available snap-ins: list, click Add> then OK.
4. Select "Computer account" on the Certificates snap-in window and press Next.
5. Select Finish on the following screen and then OK.
6. Now that you have the Certificates snap-in in the MMC Console, navigate to Certificates under Personal
7. Right click the certificate you would like to use and select Manage Private Keys
8. Add the Application Pool Identity ("Network Service", "ApplicationPoolIdentity", etc.) that you noted earlier for your server.
9. Remove the Full Control option and leave READ permissions. Click OK.
Add SAML Service Provider -
The SAML Service Provider must be named "ParentSquare"
--The Entity ID (URI) and Assertion Consumer Service URL will be provided by either Aeries or ParentSquare support
Once the SAML Configuration has been completed, users/groups will need the "SAML Service Providers - ParentSquare" permission granted to be able to Single Sign on.
Replace SSL Certificate (if needed)
On the SAML Configuration page, you may need to replace the SSL Certificate if it has expired.
The first step to replace the SSL Certificate is to check the "Delete saved certificate information" checkbox and "Save Settings"
The second step will be to "Select Certificate from Server" and select the updated certificate.
If there is an error in the configuration or permissions, Users may receive a White Screen with an Error Message as seen below;
Please read below for some common error messages and the cause behind them;
"An error occurred. Please try again." followed by a URL
----This error can be caused by an invalid URL. All URLs must be https
"An error occurred. Please try again." No URL Info
----SSP.NM cannot find "parentsquare"
----SSP.URL does not contain "parentsquare.com"
----SSP.DS is true or SSP.II is false
----user does not have read access to SAML
"Your single sign-on request could not be processed. Invalid Service Provider"
----SSP.II is false, or there is a mismatch in the database name
"Your single sign-on request could not be processed. SAML is not properly configured"
----Missing information in SAML configuration
"Your single sign-on request could not be processed. You do not have permission to access ParentSquare"
SAML Configuration uses the system clock from your Web Server(s). Please ensure these servers are synced accurately with the correct time(s).