Single Sign on - Cheaply?

[reggiep]

We are currently building a new domain for summer and trying to think of added extras we can add on to the network to make it a more pleasant user experience.
One thing that had been asked about in the past was SSO so we did look into it with Tools4ever UK but the cost would be nearly £6000 for licencing and set up.
I was hoping for something a little more on the free/cheap side!
We'd like our users to not have to log in to their email (live@edu-staff google apps-students) or moodle(On a linux box) every time they log on.

Anyone have any suggestions?

Thanks

[jamesfed]

Are we talking Single Instance Sign On where you login to the PC once and thats the last time you touch a username/password box forever or Single Sign On where you have a single username/password for all your services but are prompted to login to each one?

[tom_newton]

moodle can probably work with ntlm or kerberos through apache...

[glennda]

moodle can probably work with ntlm or kerberos through apache...

Yes it can - easier to setup on windows but can be done on linux so I'm told I got bored trying!

[reggiep]

Well, I guess logging in to the computer and then not having to log into anything else would be the nicest solution but not sure if that is achievable.
I did have a look at ntlm with moodle but it did get a bit scary.

[plexer]

live@edu / office 365 for education can be configured with on-premises s/w to facilitate what you desire.

Ben

[reggiep]

live@edu / office 365 for education can be configured with on-premises s/w to facilitate what you desire.

Ben

I believe that is something to do with forefront?

[GrumbleDook]

I believe that is something to do with forefront?

For single sign-on with Live@Edu / Office365 then have a look at the MS blog UK Live@edu Blog - Site Home - MSDN Blogs or chat to @jamesbmarshall as he is the best port of call. The blog has a lot of guides about how you can do the integration and if you search on EG you can see what others have said about the limitations or benefits of each option available.

[plexer]

I believe that is something to do with forefront?

Forefront Identity Manager AKA FIM yes.

Ben

[jamesbmarshall]

...or chat to @jamesbmarshall as he is the best port of call.

Fire away!

[reggiep]

Fire away!

Aha, We currently use live@edu for our staff but not students as there doesn't seem to be an easy way to link via AD. Google has a tool to create a script that we run regularly that adds the AD users we select to google apps. Anyway that's just a grumble for another time!

We are currently setting up a new domain which we will be adding as much MS tools as we can that are covered by the MS license agreement that we have. Would FIM be a tool we would need?

Thanks

[plexer]

Deploy Outlook Live Directory Sync for Live@edu

Ben

[reggiep]

Deploy Outlook Live Directory Sync for Live@edu

Ben

Looks like we really need to install FIM!

[plexer]

There is a similar set of steps for office 365 and as live@edu is becoming office 365 for education you may want to hold fire on anything at the moment.

With the live@edu tools you use pcns to sync password changes but that isn't used for office 365 so there is no password sync.

MigrationWiz have produced a simple tool to sync ad and office 365 but it's only available to customers using their migration tool.

MigrationWiz AD to Office 365 DirSync Deployment Guide « MigrationWiz Blog

Ben

[jamesbmarshall]

Would FIM be a tool we would need?

You can use FIM 2010 (and the OLSync management agent) to automatically provision users into Live@edu; for a bit of added work you could also set up PCNS and sync passwords from your AD as well - resulting in your users have a single set of credentials to manage (and a single place to manage them from, too!).

In fact, if you really wanted to pull out the stops you could also use FIM to build a self-service password reset portal for your users, and then you can practically write off ever having to reset a user's password manually ever again! (Obviously, that's with my "optimist hat" on! )

SSO is a really difficult thing to define properly. Most of the time customers just want what I would term as "CSO" (consistent sign-on), rather than a seamless experience.

With Live@edu you can achieve this using the FIM+OLSync+PCNS model for CSO, and you can build a form of SSO if you want to integrate Live@edu into a web portal that you might already have (i.e. users sign into that portal, and are automatically auth'd into Live@edu).

With Office 365 for education you have better choices as you can go for federation, but with a significant number of different devices and user scenarios to consider it's worth spending some time to figure out exactly which scenarios you're going to support rather than trying to support everything.

Hope that helps!