Authentication Integration Choices

A common question for new VoiceThread schools, districts, colleges and universities is “How should we do authentication integration”? There are often many options, with their own pluses and minuses.

Let’s start with the easy decision: If you have Shibboleth in production, particularly if you already are federated with inCommon, you should do Shibboleth SSO. It’s a tool built for the purpose, and it offers a very secure platform with a great deal of flexibility. Even if you only have a subscription for part of your organization, Shibboleth is an option as long as membership in that part of your organization is visible as a Shibboleth attribute.

If you do not have Shibboleth, then the question becomes more complex. If you have Moodle and all users have access, Moodle SSO can be a good route, particularly if you want to drive more students and and teachers to use Moodle. For Moodle, the scope of the Moodle instance (school-wide, district-wide, etc) must match the VoiceThread subscription. If Moodle usage isn’t universal and is unlikely to become universal, LDAP (Active Directory, eDirectory, OpenDirectory, rfc2307, etc) is also a good option. Like Moodle and Shibboleth, we support LDAP over a secure transport (SSL), and have a great deal of flexibility on attribute mappings. For LDAP, we can restrict access based on groups or OUs, for subscriptions that don’t encompass the entire organization.

VoiceThread also has a built-in internal authentication system, which you can manage by uploading CSV files containing user data. For many smaller organizations, or organizations without any one central authentication system, this can be an excellent option.

Finally, we have an external authentication system where you can write your own Single-Sign-On tool. This is cross platform (sample code is all in PHP), and provides an option for schools with unusual / non-standard systems that don’t want to do CSV uploads.