Brief Introduction to Single Sign-On (SSO)
Single Sign-On (SSO) allows a single user access control of multiple related, but independent software systems. After the user logs in and is authenticated, the user has access to all of the related systems without being prompted again for re-authenticating for each system. Although a Single Sign-On has become an important part of the business world and many companies use either full sign-on, reduced sign-on, federated, or Security Assertion Markup Language (SAML) for user authentication, what are the pros and cons of a “Single Sign-On” approach for a school district?[1]
Pro and Cons for a Single Sign-On (SSO) for a school district
As a user in an educational environment, I find having to use multiple logins or even having to re-enter passcodes frustrating. Not only do I have to allow additional time just to get up and running on my computer at work, I often find myself having to build-in class time to trouble-shoot anticipated technology issues. This has become less of the case with the capability of systems to remember passcodes, but can still be a frustrating experience. My current pet peeve involves having to constantly override the district firewall to access secured videos in My Big Campus (MBC). I realize this is a temporary problem that the district is working on and has mostly been the case this year, but it has reduced the use of MBC videos across the district because of the additional time required to get through the security filter. Another pet peeve is how quickly the user is timed out and has to re-authenticate. With attendance on PowerSchool, this occurs every class period.
From a student point of view, students have expressed frustration with password issues and logins for iPAD Apps. Most prefer to use their own mobile devices just in terms of saving time, particularly when it comes to uploading work. Some of the frustration has been reduced with students being able to use the same ID and password to log into the majority of software applications and Apps.
In terms of backoffice systems, district use of Oracle requires a single sign-on passcode that grants users to a basic user session. Once authenticated, the user has access to resources on the same domain, while access to a different domain will require cross-domain single sign-on to add additional protections.
As an educational technology leader, I understand the cons of a Single Sign-On in an educational environment, but at the same time I am excited about some of the alternatives being piloted in K-12 schools. For example, the Clever is currently being piloted in a few schools in San Francisco and appears to offer future opportunities for use of SSO. It is FERPA compliant and SOPIPA compliant, which is a concern in terms of using an SSO in K-12 education. So far it allows students and teachers to connect to more than 20 popular educational apps used in schools with just one login, including My Big Campus (MBC). It will be interesting to see where this goes in terms of security and privacy issues.
[1] The difference between full sign-on, reduced sign-on, federated, and SAML: Full sign-on allows a single user access to all associated systems without having to re-authenticate. If reduced sign-on is implemented, the user will be able to access all associated systems with the same username and password, but will have to re-enter their user name and password to re-authenticate for each system. Federated works the similar to full sign-on, at least at the front end, but is different on the backend in that if one authentication system fails, to user will be denied access to all systems. SAML is an XML standard that allows a secure web domain to exchange user authentication and data authorization and allows users access to a host of web-based applications such as Google Apps.
References:
Arizona Education Learning and Accountability System (AELAS) Business Case. Retrieved on March13, 2015 from http://www.azed.gov/aelas/files/2013/10/aelas-business-case-v1.5.pdf
Clever Opens Up ‘Instant Login’ to Any and All K-12 Districts. Retrieved on March 15, 2015 from https://www.edsurge.com/n/2014-08-26-clever-opens-up-instant-login-to-any-and-all-k-12-districts
Houston, Robert. Single Sign on programs. Enter Your Information Blog. Retrieved from http://www.enteryourinformation.com/2015/01/20/single-sign-programs/
SAML Single Sign-On (SSO) Service for Google Apps (2015). Retrieved from https://developers.google.com/google-apps/sso/saml_reference_implementation
Single Sign-on Solutions Helping K-12 Teachers. EdTech Focus On K-12. Retrieved from http://www.edtechmagazine.com/k12/article/2014/05/single-sign-solutions-helping-k-12-teachers
Lee, Donald (2014). The Pros & Cons of Implementing Single Sign-On. Cyber Security Performance Blog. Neustar. Retrieved on March 15, 2015 from https://www.neustar.biz/blog/what-is-single-sign-on-deployment-pros-cons
Single Sign-On (SSO) allows a single user access control of multiple related, but independent software systems. After the user logs in and is authenticated, the user has access to all of the related systems without being prompted again for re-authenticating for each system. Although a Single Sign-On has become an important part of the business world and many companies use either full sign-on, reduced sign-on, federated, or Security Assertion Markup Language (SAML) for user authentication, what are the pros and cons of a “Single Sign-On” approach for a school district?[1]
Pro and Cons for a Single Sign-On (SSO) for a school district
As a user in an educational environment, I find having to use multiple logins or even having to re-enter passcodes frustrating. Not only do I have to allow additional time just to get up and running on my computer at work, I often find myself having to build-in class time to trouble-shoot anticipated technology issues. This has become less of the case with the capability of systems to remember passcodes, but can still be a frustrating experience. My current pet peeve involves having to constantly override the district firewall to access secured videos in My Big Campus (MBC). I realize this is a temporary problem that the district is working on and has mostly been the case this year, but it has reduced the use of MBC videos across the district because of the additional time required to get through the security filter. Another pet peeve is how quickly the user is timed out and has to re-authenticate. With attendance on PowerSchool, this occurs every class period.
From a student point of view, students have expressed frustration with password issues and logins for iPAD Apps. Most prefer to use their own mobile devices just in terms of saving time, particularly when it comes to uploading work. Some of the frustration has been reduced with students being able to use the same ID and password to log into the majority of software applications and Apps.
In terms of backoffice systems, district use of Oracle requires a single sign-on passcode that grants users to a basic user session. Once authenticated, the user has access to resources on the same domain, while access to a different domain will require cross-domain single sign-on to add additional protections.
As an educational technology leader, I understand the cons of a Single Sign-On in an educational environment, but at the same time I am excited about some of the alternatives being piloted in K-12 schools. For example, the Clever is currently being piloted in a few schools in San Francisco and appears to offer future opportunities for use of SSO. It is FERPA compliant and SOPIPA compliant, which is a concern in terms of using an SSO in K-12 education. So far it allows students and teachers to connect to more than 20 popular educational apps used in schools with just one login, including My Big Campus (MBC). It will be interesting to see where this goes in terms of security and privacy issues.
[1] The difference between full sign-on, reduced sign-on, federated, and SAML: Full sign-on allows a single user access to all associated systems without having to re-authenticate. If reduced sign-on is implemented, the user will be able to access all associated systems with the same username and password, but will have to re-enter their user name and password to re-authenticate for each system. Federated works the similar to full sign-on, at least at the front end, but is different on the backend in that if one authentication system fails, to user will be denied access to all systems. SAML is an XML standard that allows a secure web domain to exchange user authentication and data authorization and allows users access to a host of web-based applications such as Google Apps.
References:
Arizona Education Learning and Accountability System (AELAS) Business Case. Retrieved on March13, 2015 from http://www.azed.gov/aelas/files/2013/10/aelas-business-case-v1.5.pdf
Clever Opens Up ‘Instant Login’ to Any and All K-12 Districts. Retrieved on March 15, 2015 from https://www.edsurge.com/n/2014-08-26-clever-opens-up-instant-login-to-any-and-all-k-12-districts
Houston, Robert. Single Sign on programs. Enter Your Information Blog. Retrieved from http://www.enteryourinformation.com/2015/01/20/single-sign-programs/
SAML Single Sign-On (SSO) Service for Google Apps (2015). Retrieved from https://developers.google.com/google-apps/sso/saml_reference_implementation
Single Sign-on Solutions Helping K-12 Teachers. EdTech Focus On K-12. Retrieved from http://www.edtechmagazine.com/k12/article/2014/05/single-sign-solutions-helping-k-12-teachers
Lee, Donald (2014). The Pros & Cons of Implementing Single Sign-On. Cyber Security Performance Blog. Neustar. Retrieved on March 15, 2015 from https://www.neustar.biz/blog/what-is-single-sign-on-deployment-pros-cons