What is Single Sign-On?
The online learning landscape has seen significant changes in the last few years, and one of the most major has been a shift in the role of the Learning Management System. LMS platforms used to be something of a ‘jack of all trades’ — attempting to provide every feature that an institution needed, all under one virtual roof.
But, as the web evolved, new platforms emerged which handled specific elements of online learning in innovative and specialized ways. MediaCore is one of these platforms; we do educational media storage and delivery, and we do it exceptionally well — to a level that no general LMS platform is geared up for. So, as more specialized platforms entered the market, institutions began looking beyond their LMSs and started to choose the platforms and services to best suit their unique needs – to build their perfect online learning landscape.
However, as universities began to take this approach, a new problem emerged: How does an institution manage multiple logins to multiple services, without users having to remember different usernames and passwords each time? And, how can an institution securely manage users and their access to different applications, across a typically large university user base?
Authentication — the process of securely allowing a student or faculty member to log in to a web application — and Single Sign-On (SSO) — which allows users to access multiple online services through a common identity (such as their university username and password) – are the key pieces of technology which have solved these problems for universities.
In this post I’ll cover the key players in this landscape, which are used by institutions worldwide to drive learning innovation by building a seamless ecosystem of applications for their staff and students.
Active Directory is the central directory service which underpins Windows–based networks, used by the majority of institutions. All users on an institution’s network are contained in its Active Directory — along with group memberships, which can indicate whether a user is a student or a member of staff, and often which classes they belong to.
Using Active Directory for authentication to external web applications is effective, and as AD is used almost universally by universities, it offers a great, common means of implementing Single Sign-On. But, it’s also the authentication equivalent of tapping straight into the jugular, and usually requires the installation of a piece of ‘connector’ software on the AD server.
For this reason, a number of additional protocols and Identity Providers (IdPs) have surfaced. In many cases these act as secure ‘middle men’ between the central user directory and multiple external applications, without requiring a university to directly expose its AD.
Shibboleth authentication overview
Shibboleth is an IdP that’s specific to the education world and is used as the authentication mechanism in many of our university deployments here at MediaCore. Based around the SAML protocol (more on this a little later), Shibboleth was created by a consortium of academics and institutions to provide a common authentication framework for universities who increasingly wanted to make use of innovative web applications.
The InCommon Federation, incorporating a large number of leading institutions and tool providers who have implemented Shibboleth authentication, provides a common. secure means of sharing user data between a university's internal directory systems and external applications.
Learning Tools Interoperability (LTI) overview
Learning Tools Interoperability (LTI) is my favorite authentication mechanism — it’s lightweight, seamless and education–specific. It’s also been specifically designed to make modern LMS platforms more extensible using external resources and tools — a direct response to the shifting online learning landscape I covered at the start of this post.
LTI is fairly unique; instead of acting as an IdP ‘middle man’ to a directory service such as AD, it passes through information directly from the LMS. When a user launches an LTI–enabled tool, the LMS uses LTI to pass along some key information — such as the user’s name and email address, the course that they’re launching the tool from, and their role within that course. The external tool then uses this information to authenticate the user, and assign permissions based on their role within the LMS course they’ve launched the tool from.
LTI is supported by all of the major LMS platforms (such as Moodle, Canvas, Blackboard and Sakai), and it's used extensively in MediaCore's own plugins for these platforms. When a user launches MediaCore from within Canvas, for instance, MediaCore uses LTI to deliver them into a media collection that specifically relates to that Canvas course — and also uses their role (e.g. instructor or student) to give them appropriate permissions within that course’s media collection. The recently released LTI 2.0 specification brings some great new functionality.
SAML — shorthand for Security Assertion Markup Language — is a common authentication protocol, allowing for the secure exchange of authentication data between different online platforms. SAML underpins many other services (including Shibboleth, which is largely based around SAML authentication requests), and can also be used by developers to integrate third–party tools with their own platforms and systems.
OAuth2, in a similar way to SAML, is another common authentication framework. OAuth2 is used extensively in the consumer technology world — when you click ‘log in with Facebook’, or ‘log in with Google’ within an application, it’s Facebook and Google’s OAuth2 implementations that make this happen. OAuth2 also features in MediaCore’s APIs, allowing universities to integrate their own custom applications with our platform. MediaCore can act as either an OAuth2 client or an OAuth2 server, offering flexibility when institutions want to integrate the application into their own authentication workflows. OAuth2 also drives the Single Sign-on capabilities of MediaCore’s mobile video capture apps.
Recently, a number of companies and products have emerged which offer enterprise–grade authentication platforms, making it easy for organizations to work with multiple service providers — and crucially, also allowing application providers (such as MediaCore) to offer robust, enterprise–grade integration with complex systems such as Active Directory. Our partners at PingIdentity are leading the way in this universe — and their PingOne platform and ‘AD Connect’ software power MediaCore’s Active Directory integration, offering our institutions a secure, robust and seamless experience.
Google Apps for Education overview
Google Apps for Education is increasingly being adopted by institutions across the world and is extensively used by MediaCore’s own global team for communication and collaboration. Thanks to OAuth2, Google Apps can also be used as a Single Sign On identity — universities can allow their users to log in to MediaCore using their GApps EDU credentials — or with a single click if they’re already signed into Google, or are using a Chromebook. Groups and Organizational Units can also be synced across, allowing permissions to be set using an existing group structure.
As the authentication space continues to evolve it’s exciting to see which new standards, capabilities and services emerge — allowing universities to put external applications to work in new ways for users. We’re watching the landscape for new innovations that we can incorporate into MediaCore, too.