OERu/Planning/Technology working group/Single Sign On for OERu Services

The what and why for SSO

We want to minimise the barriers to OERu collaborators and learners alike. We have a policy of making our OERs available to anyone and everyone without requiring any user accounts - people can do that anonymously if they desire.

Supporting collaboration

We also want to allow people to collaborate and create content. To guard against spam submissions, to be able to give credit where it's due, and to provide continuity of access and identity, we do need to allow participants to register their identity. For instance, it's important if we want an OER author to be able to re-edit her or his work, or a person participating in an online forum to receive an email when his/her post receives a reply.

Consolidating identity

We want to overcome "password fatigue" which hits many people using web services, who don't want to create yet another account (we do recommend people use a password manager to simplify this and make it much more convenient). Our community participants should have a unified experience when using our technologically disparate services rather than a jarring one. One major aid to that would be to provide a single, consolidated account for authorisation to our read-write services, and when you're signed into one service, you're signed into to all of them (they all accept and recognise your identity).

Single Sign-on technology choice

We are working with a SimpleSAMLPHP a widely supported "single sign-on" platform implementing a protocol called "SAML" or "Security Assertion Markup Language" that can provide secure authentication across a broad array of suitably configured web applications. It also has the potential to delegate authentication/identity management, which means the ability to accept credentials from other institutions and organisations if suitably configured.

We currently have this working at a small scale (proof of concept) between a pair of Drupal 7 websites, one acting as our OERu "Directory" or "Identity Provider" - a place where both educators and learners will be able to create and maintain their credentials and authenticate once to use a variety of OERu services - and a sample "Service Provider" web service, in this case a prototype of our "Course Resource Bank" which requires that users log in via the Directory, rather than into its inbuilt authentication system.

In the near future, we are working to expand the reach of the Directory to include sample WordPress sites, and some of our other services including (eventually) our Community and Forum websites, our Chat service, this Wikieducator.org site, and others.

More on this can be found at Single Sign-On Task for MVP

Services to be aggregated

The OERu technologies we're hoping to consolidate will include:

• This WikiEducator MediaWiki implementation,
• Various course-specific WordPress implementations,
• our Discourse implementations (for OER creators and OER learners,
• related tools like our collaborative editing platform,
• our OERu website, and
• others yet to be determined.

Diagram of the OERu Single Sign-On architecture