Single Sign-on to the IT Academy sites

 

With the large number of disparate benefits in the ITA program, each fulfilled by different suppliers, student and educators (‘users’) have to maintain multiple user accounts and passwords  to access each benefit.  Single sign-on is an attempt to use a single account and password to get access to multiple sites/ resources.

The ITA eLearning benefit has  3 different website resources:

  1. ITA member site  www.microsoftitacademy.com   for IT Academy Administrators
  2. Instructor eLearning site: https://itacademyinstructor.microsoftelearning.com (hosted by Element K)
  3. Student eLearning site  https://itacademy.microsoftelearning.com (hosted by Element K)

 SSO in IT Academy program allows two authentication methods for eLearning access

       a)   Windows Live ID:

    • Windows Live ID is a single sign-on web service that allows users to use a single set of credentials to log into multiple websites [that support this service], by checking the user’s credentials with a Windows Live ID authentication server.
    • WLID implements an identity provider STS in the cloud. The token provided by WLID contains a simple set of claims - a PUID. The structure of this identifier is opaque and an application can use this calue to recognize individual users but cannot derive additional meaning from the identifier's content or structure.
    • For example: a web site accepting WLID has to store a user's name and shipping address along with user's WLID and then look this up later.

     b) Federated Identity

    • Federated IDs (Federated Identity) is another single sign-on technology linking a user’s identity and attributes, stored across multiple different identity management systems.
    • Federation enables the institution’s Identity Providers to establish a trust relationship between existing internal student authentication mechanisms for students and educators with Microsoft Active Directory Federation System [ADFS}, by sharing only the information required to access the IT Academy program sites.

All the other IT Academy benefits such as Safari E-Reference, MSDNAA/DreamSpark, TechNet, MOC, MCT, etc are not claims/assertions-enabled [i.e. not federation-enabled] and will continue to use existing authentication mechanisms of WLID or custom user-accounts

The different federation identity provider STSs that are able to federate with the IT Academy program include:

  1. Microsoft Active Directory Federation System [ADFS] 1.0 and 2.0
  2. CA Site Minder
  3. IBM Tivoli Federated Identity Manager (6.2.0.2 or higher)
  4. PING Federate
  5. RSA Federated Identity Manager
  6. Oracle Identity Federation
  7. Novell Access Manager
  8. Shibboleth

All these systems allows one party holding user accounts to project those identities to another party that hosts resources.

One potential issue with Federation is that standards are rarely comprehensive and each implementation tends to have its own approach. The differing implementations of the standards introduce variability in the way various features work and some may break – rarely is a solution ready out-of-the-box.

For example the ADFS accepts one identity provider in entity description, in metadata.   Also there could be schema mismatch limitations in SAML token format – what attributes and elements should be there.

  • Single Sign-On (SSO) as the ability for customers to use a single set of credentials to access both on-premises and online resources.
  • Federation is a trust relationship between the Identity Providers and Service Providers that allows Identity providers to share previously agreed upon set of user information in a secure manner.
  • A federation provider is an intermediary between a Claims Provider and a Relying party; where in the RP trusts Federation provider.  FP converts the CP's claims into a format that the RP can understand.
  • Identity Providers are organizations that provide user authentication services and share user identity information after successfully authenticating the user.

Once authentication is completed, the authorization needed to access ITA websites is provided by the Educator or Student ‘ITA Access code’.

While this model may require some server investments and deeper architectural decision making, it does allows support for richer single sign on with your corporate credentials, integration with on-premises multi-factor authentication and a configurable password policy.

Please direct any questions via e-mail to Acadsupp@microsoft.com, or phone at 1-800-508-8454 Monday through Friday, 6:30 a.m. to 5:30 p.m. (PST).