Created on 3 June 2015

This document provides a brief overview of how learners’ access to a wide range of online services and resources can be facilitated via a single username and password, also known as Single Sign-On (SSO). This provides a range of educational and administrative benefits, including streamlined access both inside and outside of school to a range of services and content from a range of devices, as well as supporting personalised learning environments and reporting and monitoring functions.


Accessing in-school services and resources

The starting point for implementing SSO is the data held by schools about learners in Management Information Systems (MIS). This is the key operational data about pupils and is therefore maintained and current. This data can be used to generate the Active Directory accounts for learners creating the usernames and passwords they use to log in to the school local area network (LAN). Each user has a unique identity which they use to access network services and resources within the school (for example, their own files and folders), with differentiated levels of access as appropriate (for example, by year group). These identities can also be used by staff to track user activity and behaviours if network monitoring tools are in place, in accordance with e-safety and e-security policies. They can also be used to report on performance and attainment, for example by reporting on different users’ progress through, and success in, completing particular tasks or activities.


Accessing services beyond school

The username and password used to provide access to school LANs can also be used to access services and facilities provided by the school’s Internet Service Provider (ISP). For example, user accounts can be used to support age related web filtering, where access is differentiated between users of different ages to minimise the risk of viewing inappropriate content. The same username and password can also be used to provide access to cloud-based services such as hosted virtual learning environments (VLEs) and productivity tools such as Microsoft Office365 or Google Apps for Education, as well as providing a means to facilitate secure remote access to school hosted services.

All of these services, whether provided in school or via the school’s ISP, can be provisioned using the learner data held and maintained in the school MIS.


Single sign-on and federated access management

Looking to the wider context, the same usernames and passwords can also be used to provision access via SSO to a wide and growing range of educational resources via an access federation such as the UK Access Management Federation for Education and Research or the London Grid for Learning (LGfL) Access Management Federation. This overcomes the problem of users having to remember multiple login details with users able to access personalised content from their SSO accounts without having to log in again. The UK Federation is made up of identity providers (IdPs, who manage the identities of individuals within the Federation) and Service Providers (SPs, who provide and maintain the content and services available through the Federation).

The UK Federation has established trust relationships between IdPs and SPs to ensure that the security and privacy of user data is maintained and that protected content can only be accessed by users that are authorised to do so. A wide range of organisations now offer IdP services to schools whether this is through the school’s Local Authority, the Regional Broadband Consortium or Commercial ISP.


SIF – The Systems Interoperability Framework

A key underpinning for SSO in schools is the Systems Interoperability Framework, SIF. SIF is a set of industry developed and supported specifications that enable educational software to work seamlessly together as a single, efficient system. SIF enables data to be shared, maintained and updated across different SIF-certified applications. For example, data held in a school MIS can be used to populate a VLE provided by a school’s service provider, enabling personalised content and reporting from the VLE, including returns to the school’s MIS. Access to content at the basic level through a Federation is anonymous but recognises returning users but personal data can be provided to facilitate personalise content and reporting if both systems are SIF-certified and the transfer of data is authorised by the school. Changes made within the school’s MIS will then automatically carry through to VLE or Service Providers’ systems and regular progress reports made back to the school’s MIS. For example, when learners move to a new year group within the school, the data held within the IdP can be automatically updated to allow access to new online resources as appropriate.


The increasing importance of e-security/cyber security in schools

It is essential that the personal data schools hold is kept safe and secure. Just like any other commercial or public sector institutions, schools are now reliant upon the internet and broadband services for day-to-day operations and activities. These technologies bring a huge range of opportunities and benefits, offering news ways to support teaching and learning and streamlining operational and administrative processes. But they also bring a range of risks if not managed and maintained appropriately: these risks include the loss of sensitive, confidential personal data. To assist schools, the NEN Technical Strategy Group has developed a set of advice on implementing and maintaining e-security: this includes an information sheet and detailed checklists for school senior leaders and network managers. To find out more

To find out more about the single sign on and access management facilities available, schools are encouraged to contact their local authority or regional broadband consortium (RBC).

Further information and contact details are available at:

Schools may re-use this material, providing that The Education Network is acknowledged.

Share This