Remote Authentication (Enterprise)
On this page:
What is Remote Authentication?
Remote Authentication allows a user to login to another website (e.g. school website) and then navigate to Schoology without having to log in again. The Remote Authentication area allows you to configure your Single Sign-On (SSO) settings. By using this method of user authentication between your organization’s directory (e.g. LDAP, AD, or OD) and Schoology, you can:
- Manage user credentials from a centralized location.
- Login to Schoology from an outside location, e.g. your school website portal.
How Does it Work?
- The user navigates to their custom subdomain or domain alias.
- Schoology redirects the user to the Remote Authentication URL.
- The script running at the Remote Authentication URL will check to see if the user is logged in. Users that are not logged in must first authenticate on the remote site.
- Using the private token and information from your database, a hash value is created.
- The user information and the hash are then sent to Schoology.
- Schoology receives the data and generates a new hash.
- If both hash values match, which ensures that the data was not modified or tampered with, the user is logged into Schoology.
Before you match users to your school directory, make sure you have created or imported users into your school account.
- Either the Username or the User Unique ID field must match between your directory and Schoology in order to establish SSO.
- We recommend using the following areas to match users:
- Match the Schoology User Unique ID to the User ID in your SIS.
- Match the Schoology Username to the Username in your directory.
- The Schoology Username and Unique ID fields must be unique throughout your entire school.
- Unique ID: This ID is a unique identifier for each user (usually a School ID or SIS ID). It matches users with your data systems when you import/export.
- Username: Users are required to have a username or email address. Usernames are unique to your school.
Configure Remote Authentication
Once the information in Manage Users matches with your directory, you’re ready to set up remote authentication.
How Remote Authentication works:
- Set up a Remote Authentication URL on your servers, from which your users will log in using their directory credentials. This is the URL that Schoology will query when an anonymous user visits the login page and selects your school.
- A script running at the Remote Authentication URL checks to see if the user has been authenticated against your directory.
- Using the Private Token and information from your database, a hash value will be created.
- The user information and hash will be sent to Schoology.
- Schoology will receive the data and generate a new hash.
- If both hash values match, the user will be logged in to Schoology, and data will be updated or synced.
Configuring Remote Authentication in Schoology
- Click Tools.
- Select School Management.
- Click Integration on the navigation menu.
- Check Enable School Remote Authentication
- Enter the Remote Authentication URL. This URL should exist on your servers, from which your users will log in using their directory credentials. This is the URL that Schoology will query when an anonymous user visits the login page and selects your school.
- Enter the Return URL, where users will be redirected when they log out.
Set Up the Server-Side Script
The page you specify for the Remote Authentication URL has the following two jobs:
- Identify the user. If the user is not already authenticated on your system, log the user in.
- Redirect the user to your custom domain or subdomain (for example, or respectively). Which you use depends on your organization's Schoology DNS configuration: Do you use a Schoology subdomain (myschool.schoology.com, for example) or a custom domain (lms.myschool.com, for example)?
There is no direct communication between Schoology's servers and your servers. All communication is done through redirects and query strings. You can skip steps 1 and 2 of "How does it work?" above by linking directly to the Remote Authentication URL. Your script will be responsible for generating a current timestamp (i.e. less than five minutes old).
From the SSO script, users will be passed to Schoology with the necessary parameters.
- Any parameter you include in the SSO script will update the user information in Schoology.
- Required parameters are marked:
- school_uid or username
(required, see description)
School UID (Student ID / Teacher ID)
First Name (Preferred)
(required, see description)
Schoology Role Id
HashThe hash is used to ensure that the information passed to Schoology is not tampered with or modified. It is an MD5 hash of any information you send in the order specified by this table. The following is an example in PHP:
<?php $hash_msg = $private_token . $timestamp . $school_id . $school_uid . $name_first; $hash_msg .= $name_first_preferred . $name_middle . $name_last . $mail; $hash = md5($hash_msg); ?>where
Any information you are not passing should be omitted from the hash.
$url = ''
This parameter should not be included in the hash calculation.
To prevent students and teachers from logging in outside of your Remote Authentication URL, System Administrators can enable permission to Ensure user logs in using an external authentication provider.
If you encounter questions or issues while setting up the SSO script for your school or organization, submit a ticket to the Help Desk describing the issue you've encountered. The dedicated support team will work with a Schoology engineer to help provide a solution for you.