The problem of information silos is one that plagued most industries and education is no exception. It is not uncommon to hear from districts complaining that their parents might have 5 or more unique logins for the various systems required to stay involved in their child’s education. School districts may have a student information system, learning management system, online registration system, athletic registration system, cafeteria lunch card system, parent alert system, etc, each of which may require parents to have a unique account to access them. This problem is complicated with the explosion of software as a service (SAS) or cloud services. In the past, it was common for customer hosted systems to support LDAP authentication, but with many cloud services, it seems that these federated mechanisms for authentication are less often implemented. Of course LDAP authentication isn’t SSO, but LDAP would at least unify accounts and provide a single username and password to an end-user.
So why isn’t web SSO more widely implemented? Are there problems with web SSO? Yes, of course there are. SAML, for example, is often criticized for being over-engineered, and the available IDP attributes can take various forms and are not standardized. Also web SSO can be more difficult to implement from a development perspective and is more difficult to setup for the client. Even with the shortcomings, SAML and other web SSO options still award us with many benefits that can make them worthwhile.
Most school districts, whether they know it or not, can support SAML or similar protocols. If the school district is running AD (with ADFS) or PowerSchool SIS, then they have the ability to use SSO even from cloud based applications. The irony of education not making better use of SSO with cloud services is that it can be much easier to manage and more secure in the long term.
A few of the benefits a web SSO includes:
- A greatly improved end-user experience, making the separate systems seems like a single ecosystem
- A single account for your organizations IT department to manage
- Less support overhead as your parents and guardians would only need to remember a single username and password
- A potentially more secure system, as third party systems wouldn’t have access to the end-user’s password
Arguably the most important benefit is that third party providers never get access to the end-user’s password. This is a huge benefit as we all know that companies can have their information stolen, which can happen so often that it is rarely reported when it does occur. We also see time and time again that many cloud services don’t hash and salt their passwords in a secure manner. So if your guardians use the same password on a third party service offered by your district as they do for their bank, and the third party service leaks the user’s password, your end-user is exposed to a much higher risk than if that third party didn’t have their password at all.
Web SSO isn’t perfect by any means, but it is worthwhile to implement and may be something you wish to consider when selecting products for your organization, especially as educational institutions implement more and more systems which may have components that require parent access.