Chasing the Single-Password Dream

To make log-ins simple, some colleges join a group with shared standards, but many others go it alone

Kendrick Brinson for The Chronicle

The U. of Georgia has figured out a way to simplify the password maze without joining a large outside federation, says Shawn P. Ellis, an information-technology official. "It's never been necessary," he says.
May 02, 2010

Professors, staff members, and information-technology officials at all sorts of colleges share one vision of utopia: a campus with single sign-on. It's the idea that a person needs only one user name and password combination, or one set of credentials, to access every digital service an institution provides.

But the reality, most often, is that users must keep track of different sets of credentials for different services. For instance, a professor has easy access to an online journal the college subscribes to, but might need different identifying information to get onto a grading system.

A number of institutions, reaching for that utopia, have joined a nonprofit group called InCommon, founded in 2005. It includes more than 150 higher-education institutions and a lesser number of software companies, database providers, and other organizations.

Joining InCommon gives colleges software with a shared standard that allows a secure single sign-on. When outside companies, like library-database providers, comply with that standard, colleges find it easier to work with them.

For instance, when Lafayette College signed up with e2Campus, an emergency-notification system that sends text messages to cellphones, it did not have to walk the company through a reconfiguration of its software. Both were members of InCommon, so their systems were already compatible.

InCommon works well enough, in fact, to bring up a question: Why aren't thousands of other colleges and universities with the same frustrations using it, and what are they doing instead?

"It takes tens of thousands of dollars to get the hardware and set it up, and it's just not worth it," said Shawn P. Ellis, director of client services and enterprise information-technology services at the University of Georgia.

Shibboleth, the group's underlying software, is free, but colleges must pay a registration fee of $700 and an annual fee of $1,100 to $3,000, based on their Carnegie classifications.

For Georgia, the main cost would be setting up a new server and updating or integrating it with user data. When a server used for single sign-ons goes down, all of the applications accessed through it go down, too. Accordingly, colleges would want servers that were very unlikely to crash. That kind of equipment is expensive, Mr. Ellis said. And even after setting up another server, he noted, the university would have to do additional work on it to meet InCommon's standards.

"Every time we've come up against single-sign-on problems, there's been a cheaper, proprietary solution," he said.

Georgia doesn't have single sign-on, but it does have reduced sign-on—which lets users access some, but not all, services with a single set of credentials—through applications such as uPortal and MyID. Mr. Ellis said that for InCommon to be worth the financial burden to Georgia, there would have to be an application that was shared with another institution and had thousands of users. He said Georgia would be more likely to join in order to share a resource with another institution than to contract on its own with a business.

"It's never been necessary enough to justify the expense," Mr. Ellis said.

Other Options

Other colleges, too, say that for now, joining the group isn't worth the expense. Officials of InCommon, which was set up by the high-speed-networking consortium Internet2, says the cost varies, depending on the state of a campus's identity-management infrastructure and the level of expertise on staff. Still, some colleges say that joining InCommon would divert attention, as well as money, from other projects that they see as higher priorities.

For example, none of the colleges in the Tri-College Consortium—Bryn Mawr, Haverford, and Swarthmore—are members. David P. Schlich, head of systems at Bryn Mawr, said that while he can't speak for Haverford and Swarthmore, he thinks it's likely that the three colleges will use software from Microsoft, called Active Directory, to share certain resources among them. That system gives users access to shared online resources and lets people log onto desktop computers, using Microsoft Windows, on any of the three campuses with credentials from their home institution. (InCommon's software does not allow such remote desktop access.)

Mr. Schlich had always considered the benefit of joining InCommon to be the ability to share certain online resources with other colleges, so he was surprised to learn that other colleges join InCommon for the ease of contracting with vendors.

"We've always thought of it as a way to access applications on other campuses," he said. "I may want to reprioritize, depending on which vendors are involved."

The vendor issue crops up often. Villanova University's Stephen W. Fugale, vice president for technology and chief information officer, said his institution chose a sign-on system made by the company SunGard about two years ago. He said important vendors like Blackboard weren't—and still aren't—part of InCommon, so joining the group would not have made sense for Villanova. Even now, if the university's vendors joined InCommon, Villanova would not, he said, because it is already committed to SunGard and wouldn't have the capacity to switch.

"We don't have the literal bandwidth—financial and human—to play with an inordinate amount of tool sets," Mr. Fugale said. "We wouldn't shift gears at this point."

Villanova's system is called myNova. When students sign on to the myNova Web page, they have access to their grades, e-mail, room assignments, and course schedules. Faculty members can look at vacation time and sick leave.

Critical Mass of Members

The University of Texas joined InCommon last fall, after the National Institutes of Health and the National Science Foundation became members. And the university system maintains its own standardized software set-up for its 15 institutions. Clair W. Goldsmith, senior adviser for information technology, said Texas does so not only as a money-saving measure, but also because the system has certain standards for doing business that are different from InCommon's. Because the university has a fiber-optic network for its campuses and shares other communication lines, its federation lets it share resources—such as supercomputing and an application for reporting the amount of time spent working on research projects—at minimal cost. Texas kept its federation compatible with InCommon in case it chose to join, which it eventually did.

The University of Maryland-Baltimore County decided to join InCommon three years ago, once Microsoft's Dreamspark and Apple's iTunes U did. Jack J. Suess, the university's chief information officer, said that before UMBC joined InCommon, it had to negotiate with every outside service provider about how to integrate its system individually. That effort seemed worthwhile until the partners they were waiting for joined up.

Now, he said, "I don't have to reinvent the wheel with each vendor."

Mr. Suess, who is now vice chair of InCommon's steering committee, explained that as membership to InCommon grows, more institutions and businesses will want to join: "When you get a certain level of people using it, that begets more users."

Microsoft just gave some institutions one more reason to join. Although the company has been a member of InCommon for about three years, it is expanding its software applications that work with Shibboleth. By early next year, its Live@edu services, which many colleges use for e-mail and other programs, will be compatible. (Google Apps for Education, a rival e-mail service, is not available through InCommon.)

InCommon itself is trying to pump up membership by giving institutions more help in joining than before. It just started an affiliate program to connect the businesses that do consulting on Shibboleth with campuses that are interested. Online information and discussion sessions about how to get started with InCommon will be made available. And InCommon will continue to hold workshops, as it has for two years, to train people in installing Shibboleth, so that they can train others in their regions.

John Krienke, chief operating officer of InCommon, said membership has roughly doubled every year since InCommon began.

"If I can continue to work legal agreements as fast as I can," he said, "there's no reason we can't double again next year."