Presentation is loading. Please wait.

Presentation is loading. Please wait.

Single Sign On Single sign on, more than a single step. Robert Stockton,

Published byRoland Barton Modified over 8 years ago

Similar presentations

Presentation on theme: "Single Sign On Single sign on, more than a single step. Robert Stockton,"— Presentation transcript:

1 Single Sign On Single sign on, more than a single step. Robert Stockton, r.stockton@glyndwr.ac.uk

2 Introduction The initial plan: Single Sign-on for all our resources Remove students having to sign in again to Athens as they forget and believe some resources are not available Allow direct links to material from VLE Single point of contact for resources for staff and students Provide a platform for Context aware personalised messages for staff and students

3 Challenges No budget for ‘high end connect it all together solutions’ Limited knowledge in house Didn’t want to break anything on the way!

4 Original Setup Services in multiple locations Not always obvious what we provide Many logon boxes to use, encourages people to type credentials in anywhere they see a logon box Mixture of: LDAP authentication Athens DA authentication ADFS Proprietary logons

5 Moodle Email (ADFS) Student records Panopto ClickView Staff Directory Logins…Logins…Logins…! Security: we are teaching users to use any box they get presented with. Student Downloads

6 Initial working diagram

7 Outdated original AthensDA Setup, which used a WAYF Student / Staff Attempt to Access Resource Wrexham Glyndwr My Athens Portal Is the user authorised? (Open Athens) Yes No Show Resource via browser to the user Authenticated against AD via a classic ASP page hosted at Glyndwr

8 The vision Centralise authentication services in one place Remove multiple login box’s Standardise username presentation: some times we have @glyndwr.ac.uk or @mail.glyndwr.ac.uk or just student ID without e-mail details Entry credential once only Improve security, build a platform for 2 Factor Auth

9 So where next We approached ProofID for some guidance and consultancy They advised there was no single solution (without buying a expensive commercial product) which would provide SAML2 and ADFS intergration at the time. We decided to move forward with SAML2 for Library resources and Moodle so links between the two worked better when providing click through reading lists etc. We implemented SAML2 using ProofID (Salford software) but had issues and delays and also needed to move all SP’s from Athens federation to the Shib federation. In the process of talking to Eduserve about moving. Eduserve now promised they had a single solution which married ADFS and SAML2, not on the table when we started with ProofID.

10 So back to Eduserv The solution would use ADFS for authentication for the SAML2 process. Killing two birds with one stone. Create ADFS linked with Open Athens SAML2 Create a user portal with OpenAthens SP which would be the landing logon for all users

11 Our setup with Athens and ADFS and Athens SP Student / Staff https://gufs.glyndwr.ac.uk/adfs/ls/ ADFS Trust Setup between Our ADFS and OpenAthens Federation and UK access Management Federation Attribute release Username Attempt to access a resource SAML token exists? Access Glyndwr Resource Example Email Open athens etc No Yes Show resource Access Portal site Athens SP Attempt to Access Portal

12 Project go live date Project Start date June 2015 Beta testing completed August 2015 Go live date was for Sept 15/16 academic year Go live now this summer ready for 16/17 Why the delay?

13 Problems – ADFS Personalisation When logging into a resource via an OpenAthens an ID (5 digit number) is attached to the account. This identifies users in external resources. Initial thought that this would affect all our resources – thankfully only three resources were affect First Attempt to go live - We didn’t realise that the legacy OpenAthens ID would be a problem, Reversed out change (quickly) - Added an attribute into Active Directory with the old ID - Released this via ADFS Second Attempt to go live - DawsonEra – Worked Successfully - ScienceDirect – Worked Successfully - Refworks – Unsuccessful – Reversal Required Third Attempt to go live -Looked at options launch with a dual login (Old and new Athens) to get around Refworks problem of not allowing two ID’s. This was not a runner in the end. Needed to fix Refworks issue.

14 Refworks Refworks has personalization i.e. user account for those that use it. Changing token ID would orphan accounts Students have left for the summer so no asking them to archive references during handover. This has taken since Nov 2015 to resolve with constant chasing Refworks didn’t support standard attributes so we could not seamlessly use old DA attribute and new ADFS attribute to keep bookmarks 5 digit ID code with DA now we use new ID code. Other SP’s such as Dawsons Era and Science direct worked fine. We not want to loose all student refworks details (would not look good) Refworks has given us a list of accounts with name and e-mail address (some are private e-mail not university) They have not actual Student ID with the account. We had to manually logon to several thousand accounts, export references ready to import after handover!

15 Delays with the project – Athen SP We had to wait for our test environment to be setup (month, had to move ADFS in their registration space) It took some time to work out the flow of traffic to the new MyUni Portal (Dev time month) Configuration issues – not knowing the Athens SP product All these did add to the delay of the project

16 Other issues We are going to be the first institute to switch over from Athens DA to ADFS authentication (Over 40 institutions in the UK still using DA) Always nice to be the first? Eduserv had their own technical issues implementing the test environment

17 So where are we now myuni.glyndwr.ac.uk Centralised Portal without SSO

18 Simplified logon for ADFS users Modified ADFS logon script Users of ADFS no longer have to type in S123456@mail.glyndwr.ac.uk or staff with staffname@glyndwr.ac.ukS123456@mail.glyndwr.ac.uk They can just type in S123456 or staffname and password. See Technet: Advanced Customization of AD FS Sign-in Pages https://technet.microsoft.com/en-us/library/dn636121(v=ws.11).aspx

19 Have we finished? No… But we’re almost there SSO planed to all be working by July

20 What next - The future Location specific headers - Wrexham - Wrexham - London - London - Staff - Staff Customised information to all our students and staff Multi-Factor Authentication with ADFS to improve security

21 Questions ?

Download ppt "Single Sign On Single sign on, more than a single step. Robert Stockton,"

Similar presentations

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
Athens and Shibboleth ® : the choices Phil Leahy Athens Product Manager.

Athens and Shibboleth ® : the choices Phil Leahy Athens Product Manager.
Directorate of Learning Resources Accessing electronic journals from off-campus This causes lots of headaches, but dont despair, heres how to do it! If.

Directorate of Learning Resources Accessing electronic journals from off-campus This causes lots of headaches, but dont despair, heres how to do it! If.
E-books and E-journals Off-campus This presentation will show you how to log in and access Oxford Brookes Library e-books and e-journals when youre off.

E-books and E-journals Off-campus This presentation will show you how to log in and access Oxford Brookes Library e-books and e-journals when youre off.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
E-books and E-journals Off-campus This presentation will show you how to log in and access Oxford Brookes Library e-books and e-journals when youre off.

E-books and E-journals Off-campus This presentation will show you how to log in and access Oxford Brookes Library e-books and e-journals when youre off.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
How-to Use iLab Solutions software within Auckland Science Analytical Services in the Faculty of Science, the University of Auckland Auckland Science Analytical.

How-to Use iLab Solutions software within Auckland Science Analytical Services in the Faculty of Science, the University of Auckland Auckland Science Analytical.
SIMS Learning Gateway Ben Jones – Product Manager.

SIMS Learning Gateway Ben Jones – Product Manager.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.

Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
OSCARS - Support for Remote Users 8 September 2006 Information & Library Services and The University of Greenwich Gateway Maggie.

OSCARS - Support for Remote Users 8 September 2006 Information & Library Services and The University of Greenwich Gateway Maggie.
Single Sign-On 1. What is Single Sign-On? 2 The Florida Department of Education (FLDOE) Single Sign-On (SSO) provides a simpler way for educators to access.

Single Sign-On 1. What is Single Sign-On? 2 The Florida Department of Education (FLDOE) Single Sign-On (SSO) provides a simpler way for educators to access.
TRIRIGA Anywhere 10.4 Beta Registration Steps

TRIRIGA Anywhere 10.4 Beta Registration Steps
Www.eduserv.org.uk/openathens Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.

Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.
Hosted Exchange 2007. The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.

Hosted Exchange The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.
Developments in Access and Identity Management Phil Leahy – Athens Product Manager.

Developments in Access and Identity Management Phil Leahy – Athens Product Manager.
Introductory Meeting. Why are we here? RIP FrontPage Versions prior to 2003 will not work with Windows7 No longer supported by Microsoft You can still.

Introductory Meeting. Why are we here? RIP FrontPage Versions prior to 2003 will not work with Windows7 No longer supported by Microsoft You can still.

Similar presentations

Ads by Google