Single Sign-on for Education
In today’s digital age, students, faculty, and staff need more than books, pens, and a notebook to be successful. Expensive software, online resources, group chats, and a variety of apps are now commonplace in any institution. While this technology can enhance learning, it does come with its own set of challenges. Simply trying to remember and create all of the passwords needed for multiple required apps can be overwhelming and time-consuming.
Many higher education institutions often overlook Single Sign-On as a critical requirement. However, as more applications and resources become available to faculty, staff, and students, providing seamless access is increasingly paramount. Today, Single Sign-on is deployed for common applications for students and faculty through Blackboard LMS, Canvas LMS, SharePoint, and Office 365.
Kerberos, SAML, Shibboleth, and even CAS SSO appear as SSO solutions that provide the benefits of increasing usability and security for the entire organization. In addition, utilizing SSO provides higher education institutions with the unique ability to brand a central portal to convey trust and reliability to an expanding audience of end-users.
UNIVERSITY SSO EXAMPLE:
Without Single Sign-on
Before Single Sign-On (SSO) was implemented at the school, students would sign into the application suite that hosts their student account. The suite usually includes a word processing application, such as Microsoft Office or Google Drive, so students can type up assignments. The rest of the applications describe courses offered at the school: C++ or Python for programming students, PASCO’s Capstone data collector for physics students, or Waves MaxxAudio Pro for audio engineers.
Suppose a school purchases an organizational account with LucidChart, an online application that organizes data into tables or flowcharts. Any student who uses LucidChart must log in with their student username. Then the student is prompted to create a second password to use when signing into LucidChart.
When the student completes the assignment requiring a LucidChart graph, the second password is often forgotten, and the LucidChart application goes unused. Despite the fact that the application could help visual learners organize lecture content, it remains untouched because resetting that second password is too much of a hassle to deal with.
With Single Sign-On
With Single Sign-On, the student simply logs in to a portal with one password. Once logged in, a landing page displays every application the student has access to. From there, students can click on any application to sign in – no additional passwords needed. SSO eliminates the use of multiple log ins and multiple passwords. The password is the same no matter which application students sign onto.
Learn how Northeast Iowa Community College was able to reduce password related IT support calls by 90% after implementing PortalGuard’s unified SSO and SSPR solution. Watch the on-demand webinar here >> Faced with Limitations: NICC’s Journey to a Secure Student Experience
Types of SSO Protocols
A primary factor in understanding SSO is to realize that not all applications utilize the same protocol. In the world of Single Sign-On, there are many different industry-standard protocols that applications and vendors can utilize:
- SAML SSO: The Summa Cum Laude of web SSO. SAML has one of the highest integration values, as it is capable of being used in almost every modern web application.
- CAS SSO: The Magna Cum Laude of web SSO. CAS single sign-on utilizes its own server to be a third-party for authentication. Using this setup, CAS SSO builds on the basics of SSO with checks and balances for additional security.
- Shibboleth SSO: a subset of SAML, Shibboleth was designed specifically for authorization and identity management across organizational boundaries. Fewer popular applications support Shibboleth, but it is a widely used and recommended protocol for a specific subset of scenarios.
- Kerberos SSO: The MIT brainchild and typical Microsoft SSO protocol. Kerberos provides mutual authentication between the server and the device. Typically, Kerberos only provides SSO at the intranet level.
- And many more…
Which SSO protocol, CAS or SAML?
It can often be difficult to decide which protocol to utilize within an environment. Security Assertion Markup Language (SAML) and Central Authentication Service (CAS) are common names on the list of top protocols for higher education, but how does an institution know which is right for them?
Knowing What’s Available – Is There a Choice?
The first question to ask is this: What options are available? Not all applications support every industry-standard protocol. Knowing which option is supported by the application will take the guesswork out of the process.
From there, the deciding factor turns to the Identity Provider (IdP). Much like each individual application, each IdP is going to be different in terms of which Protocols are supported. For example, the PortalGuard IdP supports a wide range of Industry Standard protocols. Other IdPs such as Shibboleth or ADFS have a much more limited scope.
If both the application and the IdP support multiple industry-standard protocols, the institution has the flexibility to choose from the available options. At this point, it comes down primarily to preference and which option will better serve the institution in the long run.
The Modern Industry Standard Protocol
CAS and SAML have their own unique benefits. SAML SSO, however, is the clear winner in terms of a more ‘Modern’ Industry Standard Protocol. SAML makes use of digital signatures to ensure security throughout the entire process and simplifies the integration for a more streamlined, easier to troubleshoot experience.
CAS, on the other hand, utilizes an additional server-to-server communication method that many organizations prefer to the HTTP-based SAML protocol. During CAS SSO, the application server and the IdP communicate directly to ensure the validity of the request. This step tends to be where most troubleshooting occurs, however, as server-to-server communication is prone to its own pitfalls. Ensuring secure communication as well as the timing of the request is often the most common difficulty with CAS authentication.
Furthermore, the simple act of configuring each protocol varies wildly when comparing SAML to CAS. With SAML SSO, the IdP and the application (commonly referred to as the Service Provider or SP) exchange metadata to ensure the data on both ends matches what the other expects. This allows for much simpler configuration, as both sides of the SSO process provide an ‘outline’ for what is required. The CAS SSO protocol does NOT make use of metadata, requiring manual configuration and manipulation on both the application and the IdP side of things. While not entirely difficult, this process is more involved and introduces more potential problem points that could break the integration if not handled correctly.
Ellucian Banner and CAS SSO
Providing true SSO to Ellucian Banner, an ERP system for universities has never been an easy task. Thankfully, Banner supports CAS SSO. CAS SSO is used to improve Banner’s usability. Additionally, CAS SSO simultaneously increases the integration points for Banner in various institutions. CAS SSO opens Banner up to unique configurations and deployments to a much wider selection of higher education institutions.
Specifically, the PortalGuard IdP can integrate with Banner using the CAS SSO protocol, as well as provide integrated password reset and multi-factor authentication. This integration provides streamlined access through a large selection of varying configurations.
Recommendation – Work Smarter, Not Harder
End-to-end, SAML SSO is the clear winner for which industry-standard protocol to utilize when given the choice. The overall configuration process is much more straightforward and reliable, allowing administrators to proceed with more pressing work instead of troubleshooting every minor step along the way.
When it is the only option available, CAS SSO is a strong industry-standard protocol for providing a secure option to end-users. In the long run, however, more apps will be supporting SAML SSO for the streamlined, secure, and simplified integration capabilities.
With an IdP like PortalGuard, institutions do not have to choose between SAML or CAS. Trusted by over 200 institutions, PortalGuard has become a highly regarded solution for providing higher education with both usability and security at a competitively low price-point. Learn more about PortalGuard Single Sign-on and read the stories from our higher education customers.