Documentation
Documentation

Authentication and Single Sign-On (SSO) in TopClass

TopClass provides flexible authentication options to ensure secure and seamless access for users. This includes standard forms-based login, as well as Single Sign-On (SSO) integration with third-party systems, including AMS platforms and enterprise websites. The options allow organizations to control authentication, streamline user access, and synchronize user information across systems.

Standard Authentication

TopClass provides a standard forms-based authentication system that allows TopClass to do the following:

  • Control the authentication process (username and password)
  • Validate whether a user is permitted to access the system
  • Maintain session information

When a user attempts to access TopClass using standard authentication, they are prompted to enter their username and password.

PropertyValue
UsernameThe username stored in TopClass. Often an email address, but any format is allowed. Permitted characters include: - Letters (a-z, A-Z) - Numbers (0-9) - Special characters: - Dot (.) - Dash (-) - Underscore (_) - At (@)
PasswordThe password stored in TopClass is encrypted and cannot be accessed. Users can reset their password using the Forgot Password workflow, which provides a secure time-limited link.

Single Sign-On (SSO)

SSO allows users to log in once and navigate multiple applications without re-entering credentials. TopClass supports a variety of SSO options, typically when a website already has user management in place.

Generic SSO Approaches

TopClass provides two standard SSO methods:

  • RSA Keys: A private key and sample code encrypt user lookup information on the website. TopClass decrypts this information to authenticate the user. If the user does not exist, they are redirected back to the website.
  • SAML: Supports IDP-initiated SAML authentication. TopClass requires a certificate (.cer file) and an endpoint to receive the SAML assertion. The NameID in the assertion is used to authenticate the user. Default limitations include:
    • Users not existing in TopClass are presented with the standard login form.
    • TopClass does not create and update user profiles based on assertion metadata.
    • Relay states (deep-linking) are not supported by default.

AMS-Specific SSO Approaches

TopClass supports SSO with several AMS solutions as part of standard implementation:

  • iMIS (oAuth): Uses the iMIS SSO module to create a client application, enabling seamless TopClass access. Integration updates or creates user profiles in real time. Request the TopClass iMIS Bridge configuration document for details. Access the iMIS SSO module by going to System Administration > Integrations > Integration Configuration > iMIS > SSO.
  • Personify and NetForum: Standard SSO integrations are supported. See Personify Bridge or NetForum Bridge for more information.

FAQs

  • Can users log into the third-party system first, or do they need to login to TopClass first? Users must authenticate first in the third-party system, then access TopClass via the provided link.
  • If a user fails to access TopClass, can they be auto-redirected to the third-party system? Standard AMS SSO options allow automatic redirection to a configurable URL. Without this, users go to the standard TopClass login screen. Generic SSO approaches also redirect to the standard login screen on failure.
  • Are other custom SSO options available? Custom solutions are possible but may impact future upgrades. TopClass support can provide guidance on the implications of using custom SSO solutions.
  • Can multiple authentication methods be used? Yes. Some configurations are basic, while more complex setups may require custom SSO implementation.