SAML – SSO with single log out
This fourth and final post in our “Authentication Series” looks at SAML authentication, our SAML 2.0 Moodle plugin and how it supports SSO and single log out (AKA single sign-out). You can access the first three posts on our blog page.
The vast array of authentication solutions
Modern authentication solutions abound the Internet, with the large social media providers, such as Facebook, LinkedIn and Twitter, offering single sign-on (SSO) services that integrate with third-party sites; this simplifies logging in for their users.
Often regarded as a ‘safe’ option for many, it is true that it is more secure than proprietary authentication, particularly when it has been badly implemented. However, many organisations are not in a position to delegate identity provision to organisations they have no control over.
Stay in control of authentication and access management
If you manage the IT infrastructure of your business, it will not sit well to relinquish authentication and access management to a third-party. Indeed, you may be bound by regulatory or legislative rules that means you require more granular control over who has authenticated to your network and which assets they have accessed. You may also, for security reasons, want to maintain tight control over user access management, including having the ability to fully audit and trace access from the point a user authenticates through to every asset they access prior to logging out.
The complexity of modern IT infrastructure, including the integration of external cloud-based services and heterogeneous multi-operating system services demands the strategic implementation of SSO. Is there a solution that supports both user convenience and security? This is where SAML comes in.
SAML authentication for enterprise-level operations
If you want the same level of integration into your enterprise as your core identity and access management solution, so that your users only log in once, irrespective of whether they are accessing their files, a database, a third-party cloud service, or a hosted learning management solution, then SAML provides the best of both worlds.
What makes a SAML authentication approach across the whole of your business so powerful is that third party authentication services, such as Okta, Sun Identity Manager and Microsoft’s Active Directory Federation Service (ADFS) all interoperate seamlessly. So, for example, you could have external services using Okta as your authenticator, have an MFA solution using something like Duo providing an additional level of protection, have the users still authenticate using ADFS while accessing your Moodle LMS………. all using just one login!
Historically, SAML has been considered complex and hard to implement, requiring in-depth knowledge of SAML. However, things have changed. Let’s look at an example.
Universities using Moodle LMS
For students that are logging in to your learning management system (LMS) it is vital, once authenticated, they can access their learning portfolio and resources without having to go through the pain of re-authenticating to new services. Since your Moodle is probably cloud hosted, using a different set of internal credentials, then implementing SSO might be considered hard – a complex, technically advanced and time-consuming endeavour.
SAML 2.0 Moodle plugin
The team at Catalyst recognised the challenge and developed a unique SAML 2.0 Moodle plugin that provides a simple SSO deployment, fully integrated with your internal directory service.
The plugin makes it easy for administrators to get the service up and running quickly and allows them to focus efforts on business requirements rather than overcoming technical challenges.
This 3 minute video gives an overview of SAML 2.0 Moodle plugin
SSO – more than just single sign-on
For a comprehensive SSO solution, it is not enough to only consider how your users sign-on, it is also important to look at what happens when they log out. Single sign-out (also known as single log out) is not talked about as much as SSO but it is just as significant to cyber security risk.
Without a solution that handles single sign-out, sessions are left active while others are disconnected, leaving them exposed to security threats. Attackers can target these open sessions with Cross-Site Request Forgery (CSRF) and session hijacking exploits. This security risk is where single sign-out comes into play; it ensures your users successfully close all their active open sessions (or the sessions SAML 2.0 has opened for them) simultaneously, thus reducing the exploitable attack surface.
The single sign-out capability enables security teams to track and trace sessions being opened and closed across the enterprise, providing visibility of which users were logged in when attacks occurred. Without this knowledge ( and confidence in the audit trail) it’s impossible to properly build a timeline of events leading up to a breach, something that a post breach forensic investigation relies on to identify the cause and, importantly, the patch to fix the security issue that led to the breach.
SAML authentication to support Moodle LMS
Catalyst’s Moodle plugin for SAML 2.0 Authentication includes all associated identity provider integrations to ensure single sign-on and single sign-out occurs. The plugin enables the integration between the enterprise identity and access management solution, such as Active Directory and the Moodle LMS – meaning system administrators can undertake all the typical configuration and management activities they need to do without having to dig into the deeper technical implementation that has historically been seen as too hard.
Explore how Catalyst can help with your SSO capability
Catalyst takes cyber security very seriously, we are ISO 27001 certified. Our core Moodle services include enterprise-grade security integration to ensure your SSO and SAML systems support your security governance, risk management and compliance requirements.
If you want more information on how Catalyst can help with your SSO and MFA capability, we’d love to hear from you.