Single Sign On Single sign on, more than a single step. Robert Stockton,
Introduction The initial plan: Single Sign-on for all our resources Remove students having to sign in again to Athens as they forget and believe some resources are not available Allow direct links to material from VLE Single point of contact for resources for staff and students Provide a platform for Context aware personalised messages for staff and students
Challenges No budget for ‘high end connect it all together solutions’ Limited knowledge in house Didn’t want to break anything on the way!
Original Setup Services in multiple locations Not always obvious what we provide Many logon boxes to use, encourages people to type credentials in anywhere they see a logon box Mixture of: LDAP authentication Athens DA authentication ADFS Proprietary logons
Moodle (ADFS) Student records Panopto ClickView Staff Directory Logins…Logins…Logins…! Security: we are teaching users to use any box they get presented with. Student Downloads
Initial working diagram
Outdated original AthensDA Setup, which used a WAYF Student / Staff Attempt to Access Resource Wrexham Glyndwr My Athens Portal Is the user authorised? (Open Athens) Yes No Show Resource via browser to the user Authenticated against AD via a classic ASP page hosted at Glyndwr
The vision Centralise authentication services in one place Remove multiple login box’s Standardise username presentation: some times we or just student ID without details Entry credential once only Improve security, build a platform for 2 Factor Auth
So where next We approached ProofID for some guidance and consultancy They advised there was no single solution (without buying a expensive commercial product) which would provide SAML2 and ADFS intergration at the time. We decided to move forward with SAML2 for Library resources and Moodle so links between the two worked better when providing click through reading lists etc. We implemented SAML2 using ProofID (Salford software) but had issues and delays and also needed to move all SP’s from Athens federation to the Shib federation. In the process of talking to Eduserve about moving. Eduserve now promised they had a single solution which married ADFS and SAML2, not on the table when we started with ProofID.
So back to Eduserv The solution would use ADFS for authentication for the SAML2 process. Killing two birds with one stone. Create ADFS linked with Open Athens SAML2 Create a user portal with OpenAthens SP which would be the landing logon for all users
Our setup with Athens and ADFS and Athens SP Student / Staff ADFS Trust Setup between Our ADFS and OpenAthens Federation and UK access Management Federation Attribute release Username Attempt to access a resource SAML token exists? Access Glyndwr Resource Example Open athens etc No Yes Show resource Access Portal site Athens SP Attempt to Access Portal
Project go live date Project Start date June 2015 Beta testing completed August 2015 Go live date was for Sept 15/16 academic year Go live now this summer ready for 16/17 Why the delay?
Problems – ADFS Personalisation When logging into a resource via an OpenAthens an ID (5 digit number) is attached to the account. This identifies users in external resources. Initial thought that this would affect all our resources – thankfully only three resources were affect First Attempt to go live - We didn’t realise that the legacy OpenAthens ID would be a problem, Reversed out change (quickly) - Added an attribute into Active Directory with the old ID - Released this via ADFS Second Attempt to go live - DawsonEra – Worked Successfully - ScienceDirect – Worked Successfully - Refworks – Unsuccessful – Reversal Required Third Attempt to go live -Looked at options launch with a dual login (Old and new Athens) to get around Refworks problem of not allowing two ID’s. This was not a runner in the end. Needed to fix Refworks issue.
Refworks Refworks has personalization i.e. user account for those that use it. Changing token ID would orphan accounts Students have left for the summer so no asking them to archive references during handover. This has taken since Nov 2015 to resolve with constant chasing Refworks didn’t support standard attributes so we could not seamlessly use old DA attribute and new ADFS attribute to keep bookmarks 5 digit ID code with DA now we use new ID code. Other SP’s such as Dawsons Era and Science direct worked fine. We not want to loose all student refworks details (would not look good) Refworks has given us a list of accounts with name and address (some are private not university) They have not actual Student ID with the account. We had to manually logon to several thousand accounts, export references ready to import after handover!
Delays with the project – Athen SP We had to wait for our test environment to be setup (month, had to move ADFS in their registration space) It took some time to work out the flow of traffic to the new MyUni Portal (Dev time month) Configuration issues – not knowing the Athens SP product All these did add to the delay of the project
Other issues We are going to be the first institute to switch over from Athens DA to ADFS authentication (Over 40 institutions in the UK still using DA) Always nice to be the first? Eduserv had their own technical issues implementing the test environment
So where are we now myuni.glyndwr.ac.uk Centralised Portal without SSO
Simplified logon for ADFS users Modified ADFS logon script Users of ADFS no longer have to type in or staff with They can just type in S or staffname and password. See Technet: Advanced Customization of AD FS Sign-in Pages
Have we finished? No… But we’re almost there SSO planed to all be working by July
What next - The future Location specific headers - Wrexham - Wrexham - London - London - Staff - Staff Customised information to all our students and staff Multi-Factor Authentication with ADFS to improve security
Questions ?