Skip to Main Content

fingerprintcompsm.jpgThroughout the California Community Colleges, it is the rare student that enrolls in one community college and transfers to a four-year university or achieves a degree in two years.

 

Many of our students work, and in the current climate many have difficulty finding classes to transfer or to apply toward an Associates Degree or certificate. The work around of course is the practice of swirling (attending several colleges) to fulfill requirements. This may occur over several years and will mean several accounts at several different colleges.

A student or staff member may need multiple logins for various applications at the college as many colleges do not have a single sign-on solution. Compounding the problem, software-as-a-service (SaaS) applications for e-mail, library resources, learning management systems (LMS), and the like, are proliferating, making it difficult to control access across internal and external resources in a coordinated fashion.

With so many accounts and no single sign-on solution at the college, updating account status can be a problem. For example, if a staff member leaves, making sure that access to disparate sensitive applications is shutdown is a serious security problem.

IT leadership must develop strategies for integrating cloud based services (SaaS) with those services offered locally. Federated ID is a keystone in making this a seamless environment for the user that provides a common framework for Authentication, Access Control and Compliance for the institution, especially in support of legal mandates and auditing requirements.

Fortunately, a standards-based approach to authentication exists. According to the Shibboleth website:

shiblogosm.jpg"Shibboleth Single Sign-On and Federating Software was developed specifically to address the challenges of:

  • multiple passwords required for multiple applications.
  • scaling the account management of multiple applications.
  • security issues associated with accessing third-party services.
  • privacy.
  • interoperability within and across organizational boundaries.
  • enabling institutions to choose their authentication technology.
  • enabling service providers to control access to their resources.
  • facilitating the rapid and effective integration of disparate third-party services (like cloud computing applications), leveraging campus identity management and trust services.

An individual uses his or her campus login and password to access resources offered by the institution and provider organizations. And campus IT shops can use their authentication technology of choice—Shibboleth sits on top and provides the Web single sign-on functionality."

The two primary elements in the Shibboleth system are:

  • Identity Provider (IdP)- software that leverages the organization’s existing identity and access management system to facilitate users accessing a restricted service.
  • Service Provider (SP)- software run by the provider managing the restricted service.

Key to this relationship is that only the minimal amount of information necessary to access the service is passed between the two to preserve the privacy and security of the user. For example, a provider may only need to know an attribute of the user, that they are a faculty member, to access the service. The IdP passes this one attribute, authenticating the user as a faculty member at the college, and access is granted by the SP. With authentication at the local campus via Shibboleth connected to existing identity and access systems, institutions have much better control of security.

Governance of user attributes, their meaning and use between identity providers and service providers requires trust relationships. Governance of these agreements has fallen to the InCommon Federation which includes of more than 200 educational institutions and vendors brought together with the purpose of creating collaborative trust for authentication and access to protected services in education and research.

In Part II of this blog I’ll address how Federated ID may be applied to our systemwide applications and the implications for tying our disparate student accounts together to better facilitate our students achieving their academic goals. <>

The above quote, sourced from Shibboleth website, can be found at: http://shibboleth.internet2.edu/why-shibboleth.html