General Chat Thread, Single Sign on software in General; I think part of the problem in achieving single sign on in most schools is the in-flexibility of active directory ...
15th July 2008, 09:37 PM #31
I think part of the problem in achieving single sign on in most schools is the in-flexibility of active directory itself. Now imagine if AD would let you 'validate' users from another source, say shibboleth for example. My old LEA used shibboleth for it's e-mail authentication, so every user in every school within that LEA has a valid account on its shibboleth server. It is also planning to use it for it's LEA wide VLE which is in the works at the moment.
What would have been great is if my local AD server would also talk to the LEAs shibboleth server, and allow me to select accounts that I would like to allow onto my network. I could still assign them group memberships and manage the account locally within my AD environment, but shibboleth can provide the authentication method behind the scenes, which means the same username and password can then be used for everything! If they then moved schools within the LEA, I could de-valicate their account within my AD, and the next school can validate it on theirs. Also pupils that attend more than one school, 6th formers for example, could be validated at both schools.
That way services that tie into AD like moodle and exchange can also use the same username and password. If all these different authentication services could actually talk to each other behind the scenes, then we'd be onto a winner!
Last edited by maniac; 15th July 2008 at 09:41 PM.
15th July 2008, 10:15 PM #32
As I have said earlier, the issue here is that we currently have vast amounts of passwords. Many services are provided by external people (our LEA, Capita, private software companies etc...). To get them all linked in would a) cost a fortune and b) actually be impossible in a short timeframe.
I understand 100% that in the long term, federated logins etc... are the goal. But we are talking at least 5 years, probably more.
In the mean time, the problem still exists, with more login boxes appearing all the time.
So whilst a citrix sso solution may seem quick and dirty, that is precisely what is needed, until proper SSO is actually attainable.
15th July 2008, 10:30 PM #33
it's been running since 2006
Originally Posted by localzuk
UK Federation Information Centre | Home / Home browse
15th July 2008, 10:46 PM #34
Seems like there is also shibboleth/active directory interoperability:
From here: Windows Server 2003 R2 Partners
Internet2, the foremost U.S. advanced networking consortium, has developed Shibboleth™, the widely-deployed federated authentication architecture. In support of Windows Server 2003 R2 release, Internet2 is extending Shibboleth to provide interoperability with Microsoft's Active Directory Federation Services (ADFS), allowing sites using ADFS to participate in the rapidly growing number of Shibboleth-based federations worldwide, such as InCommon™
and interesting project here: shibboleth-on-windows
Apoligies for almost hijacking this thread, as none of the above really answers localzuk's origenal question, although I think it is relevant.
15th July 2008, 10:54 PM #35
It may well be running but I don't see it being implemented within schools, within the programs that we use, within our LEA services and within RBC's any time soon.
Originally Posted by CyberNerd
Those are still many years off.
15th July 2008, 10:57 PM #36
still, a lot of colleges and councils have already signed up as identity providers
UK Federation Information Centre | Documents / MemberList browse
17th July 2008, 11:25 AM #37
Have been doing a fair bit of reading on this over the last couple of days, and it appears that there are a few options under the ESSO (enterprise SSO) that can help with what localzuk is trying to do....
one of the more interesting ones i've come across is opensso....a community project led by Sun to develop an ESSO system based on their Java identitiy Access Manager commercial product.
Don't know how easy it is to setup, configure and develop but it can't hurt to download the source and give it a whirl.
Other than that, no products stick out other than citrix and novell (securelogin) which have already been mentioned.
As for federation, which is what LEA's/RBC's are dealing with, it's really about moving to standards based techniques...the terminology differs (for instance how ADFS and Shibboleth refer to 'identity providers' differs) but the goal is to build applications and token authentication schemes to be standard compliant - particularly see parties going down the route of SAML and the WS-* stack.
For us, like localzuk, a WebSSO project within the enterprise is more of a priority than the idea of intra-enterprise federation. WebSSO being the most obvous part of an identity and access management solution - and that's more than enough to be getting started with.
By Edu-IT in forum EduGeek.net Site Problems
Last Post: 4th February 2008, 09:46 PM
By monkeyx in forum Virtual Learning Platforms
Last Post: 26th November 2007, 09:39 AM
By budgester in forum MIS Systems
Last Post: 21st June 2007, 11:26 AM
By markberry in forum MIS Systems
Last Post: 27th March 2007, 12:27 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread