I think part of the problem in achieving single sign on in most schools is the in-flexibility of active directory itself. Now imagine if AD would let you 'validate' users from another source, say shibboleth for example. My old LEA used shibboleth for it's e-mail authentication, so every user in every school within that LEA has a valid account on its shibboleth server. It is also planning to use it for it's LEA wide VLE which is in the works at the moment.
What would have been great is if my local AD server would also talk to the LEAs shibboleth server, and allow me to select accounts that I would like to allow onto my network. I could still assign them group memberships and manage the account locally within my AD environment, but shibboleth can provide the authentication method behind the scenes, which means the same username and password can then be used for everything! If they then moved schools within the LEA, I could de-valicate their account within my AD, and the next school can validate it on theirs. Also pupils that attend more than one school, 6th formers for example, could be validated at both schools.
That way services that tie into AD like moodle and exchange can also use the same username and password. If all these different authentication services could actually talk to each other behind the scenes, then we'd be onto a winner!
Last edited by maniac; 15th July 2008 at 08:41 PM.
As I have said earlier, the issue here is that we currently have vast amounts of passwords. Many services are provided by external people (our LEA, Capita, private software companies etc...). To get them all linked in would a) cost a fortune and b) actually be impossible in a short timeframe.
I understand 100% that in the long term, federated logins etc... are the goal. But we are talking at least 5 years, probably more.
In the mean time, the problem still exists, with more login boxes appearing all the time.
So whilst a citrix sso solution may seem quick and dirty, that is precisely what is needed, until proper SSO is actually attainable.
Seems like there is also shibboleth/active directory interoperability:
Internet2, the foremost U.S. advanced networking consortium, has developed Shibboleth™, the widely-deployed federated authentication architecture. In support of Windows Server 2003 R2 release, Internet2 is extending Shibboleth to provide interoperability with Microsoft's Active Directory Federation Services (ADFS), allowing sites using ADFS to participate in the rapidly growing number of Shibboleth-based federations worldwide, such as InCommon™
Have been doing a fair bit of reading on this over the last couple of days, and it appears that there are a few options under the ESSO (enterprise SSO) that can help with what localzuk is trying to do....
one of the more interesting ones i've come across is opensso....a community project led by Sun to develop an ESSO system based on their Java identitiy Access Manager commercial product.
Don't know how easy it is to setup, configure and develop but it can't hurt to download the source and give it a whirl.
Other than that, no products stick out other than citrix and novell (securelogin) which have already been mentioned.
As for federation, which is what LEA's/RBC's are dealing with, it's really about moving to standards based techniques...the terminology differs (for instance how ADFS and Shibboleth refer to 'identity providers' differs) but the goal is to build applications and token authentication schemes to be standard compliant - particularly see parties going down the route of SAML and the WS-* stack.
For us, like localzuk, a WebSSO project within the enterprise is more of a priority than the idea of intra-enterprise federation. WebSSO being the most obvous part of an identity and access management solution - and that's more than enough to be getting started with.