The Single Sign-on (SSO) project is enhancing users’ experience of IT systems by simplifying and streamlining access. It has implemented a desktop SSO solution that uses proven technology (primarily Shibboleth and Kerberos) to provide a robust platform for access to enterprise systems.
The project has:
- Implemented a production-strength, high-availability SSO capability;
- Implemented SSO for the University’s core, high-usage applications; and
- Provided capability to expand to additional systems as demand arises or as new applications are implemented.
Desktop SSO is only achieved through an ITS-managed computer (PC or Mac), on the ITS core domain (UDS) and on the ANU network. Browser session SSO is presented in all other situations through the Shibboleth ANU Federation login page. An example of this page can be seen above. SSO only occurs for the duration of that browser session once logged in. It is terminated after the browser is closed or after 60 minutes of inactivity
SSO went live in July 2018 for the following systems: HORUS, ANU Insight, Career Hub, Echo 360 ALP, Idea Elan, My eQuals, MSL (ANUSA and PARSA membership and elections), Zoom, ANU Recruit, Concur, eForms (Intelledox), ServiceNow, ISIS and Figtree. The next system to be brought on board will be: Pulse.
There are four consent options available:
- ‘Ask me again next login’ - The user will be asked to consent again at their next browser session (when a new browser is opened or after 60 minutes if the browser is left open).
- ‘Ask me if information to be provided to this service changes’ - The user will only be prompted to consent again if a new personal attribute is to be provided to the service, i.e. the user preferred name, title etc. This is the recommended option.
- ‘Do not ask me again’ – The user is giving consent to provide their information to any Shibboleth system. This includes AAF and eduGain services that the ANU is federated with. If this option is selected the consent screen will not appear again for any system.
- ‘Reject’ – The user will not be granted access to the system.
Further information can be found in the reference documents.
Frequently asked questions
Q: Why is the University introducing SSO?
A: A number of benefits arise from the use of SSO, including:
- Increased user productivity from reducing time to login to discrete University systems;
- Improved user experience through streamlined, automated login; and
- Improved security as user credentials are stored securely and provided via the central SSO service.
Q: Which browsers are supported for SSO?
A: SSO supports Chrome, Firefox and Safari within and outside of the University. Internet Explorer is only supported within ANU.
Q: Which applications will use SSO?
A: SSO went live in July 2018 for the following existing systems: HORUS, ANU Insight, Career Hub, Echo 360 ALP, Idea Elan, My eQuals, MSL (ANUSA and PARSA membership and elections), Zoom, ANU Recruit, Concur, eForms (Intelledox), ServiceNow, ISIS and Figtree. Other applications will be enabled to use SSO over time. The next system to be brought on board will be: Pulse.
Q: Which applications will use SSO in the future?
A: The following systems have been identified for use with SSO by the end of 2018: e-Forms (Intelledox), Adobe Creative Cloud, ANU Recruit, Concur, ServiceNow, Figtree, ISIS, Pulse and Moodle.
Q: What is the consent page for?
A: The consent page allows you to specify how you want your log-in information shared with the system you are accessing. You will see the consent page the first time you login to a new SSO-enabled system.
Q: What do I need to be aware of with SSO and how can I keep my information secure?
A: Recommended IT security practices are important to prevent unauthorised access. Security risks can be mitigated by:
- never sharing your password;
- changing your password regularly;
- locking your computer when unattended; and
- logging off when you are finished.
Q: Will the privacy of my information be protected?
Q: What if I use more than one account to login?
A: The account used to sign in to SSO should be the same as the account used to sign in to the computer. If you need to access an SSO application using a different account, you will need to sign out of your computer and sign in again using the alternate account.
Q: What happens if I try to access systems that use SSO from outside the University?
A: When using a browser to login an SSO-enabled system outside of the University environment, you will access SSO systems through the ANU Federation Login page. Once you have entered your credentials, SSO will allow seamless connection to all SSO-enabled systems for the duration of your browser session, or until the session times out after 60 minutes.
Q: Who can I contact if I have a problem?
A: If you encounter difficulties, please contact the Service Desk by going to servicedesk.anu.edu.au or emailing firstname.lastname@example.org.