SAML – SSO with single log out
This fourth and final post in our “Authentication Series” looks at SAML authentication, our SAML 2.0 Moodle plugin and how it supports SSO and single log out (AKA single sign-out). You can access the first three posts on our blog page.
The vast array of authentication solutions
Modern authentication solutions abound the Internet, with the large social media providers, such as Facebook, LinkedIn and Twitter, offering single sign-on (SSO) services that integrate with third-party sites; this simplifies logging in for their users.
Often regarded as a ‘safe’ option for many, it is true that it is more secure than proprietary authentication, particularly when it has been badly implemented. However, many organisations are not in a position to delegate identity provision to organisations they have no control over.
Stay in control of authentication and access management
If you manage the IT infrastructure of your business, it will not sit well to relinquish authentication and access management to a third-party. Indeed, you may be bound by regulatory or legislative rules that means you require more granular control over who has authenticated to your network and which assets they have accessed. You may also, for security reasons, want to maintain tight control over user access management, including having the ability to fully audit and trace access from the point a user authenticates through to every asset they access prior to logging out.
The complexity of modern IT infrastructure, including the integration of external cloud-based services and heterogeneous multi-operating system services demands the strategic implementation of SSO. Is there a solution that supports both user convenience and security? This is where SAML comes in.
SAML authentication for enterprise-level operations
If you want the same level of integration into your enterprise as your core identity and access management solution, so that your users only log in once, irrespective of whether they are accessing their files, a database, a third-party cloud service, or a hosted learning management solution, then SAML provides the best of both worlds.
What makes a SAML authentication approach across the whole of your business so powerful is that third party authentication services, such as Okta, Sun Identity Manager and Microsoft’s Active Directory Federation Service (ADFS) all interoperate seamlessly. So, for example, you could have external services using Okta as your authenticator, have an MFA solution using something like Duo providing an additional level of protection, have the users still authenticate using ADFS while accessing your Moodle LMS………. all using just one login!
Historically, SAML has been considered complex and hard to implement, requiring in-depth knowledge of SAML. However, things have changed. Let’s look at an example.
Universities using Moodle LMS
For students that are logging in to your learning management system (LMS) it is vital, once authenticated, they can access their learning portfolio and resources without having to go through the pain of re-authenticating to new services. Since your Moodle is probably cloud hosted, using a different set of internal credentials, then implementing SSO might be considered hard – a complex, technically advanced and time-consuming endeavour.
SAML 2.0 Moodle plugin
The team at Catalyst recognised the challenge and developed a unique SAML 2.0 Moodle plugin that provides a simple SSO deployment, fully integrated with your internal directory service.
The plugin makes it easy for administrators to get the service up and running quickly and allows them to focus efforts on business requirements rather than overcoming technical challenges.