CampusNexus Single Sign-On
Application security is a top priority for Campus Management. As part of this, we would like to inform you that CampusNexus is now utilizing Single Sign-on (SSO) across all web apps:
- CampusNexus CRM Web Client
- CampusNexus Student Web Client
- CampusNexus Student Portal
- Forms Builder (Designer & Renderer)
For the user, this greatly enhances the usability of applications, as they no longer have to sign in multiple times to multiple applications. For example, students and staff can now use a single identity to access on-premises applications and cloud services such as CampusNexus Portal, CampusNexus Student, CampusNexus CRM, Power BI and Office 365.
From an IT perspective, you can rest assured that CampusNexus SSO is using modern industry-standard frameworks, security protocols and patterns which we will detail later in this document.
Let’s talk about some of the components, processes and what impact this has on your institution.
The Security Token Service
A key component of SSO is the Security Token Service (or STS). In simple terms, a STS is basically a login page – a service that authenticates a user’s identity and access to an application. Below are some common examples of security token services most of us use every day:
Typically, a single STS is shared by multiple applications. Once a user signs in to an STS, their browser can access any application trusted by that STS without having to sign in again. This, in short, is SSO.
The Login Process
- John, our student, visits a page in your CampusNexus Portal: https://portal.university.edu/degree-progress
- If John is not already logged into the portal or another trusted application, his browser will redirect him to the STS (login page): https://login.university.edu?replyUrl=https://portal.university.edu/degree-progress
Note the replyUrl. This is how the STS knows what application and page to redirect John to after he is authenticated.
- After John enters his credentials, the STS will authenticate John and redirect him back to the portal page. John’s browser session will store his authentication token and allow him to access the CampusNexus Portal as well as any other web applications trusted by the STS.
What Impact Does This Have?
- The STS can share identities across any applications that support SSO (on-premises or SASS based).
- CampusNexus now supports seamless integration with APIs that support OAuth and SSO like Office 365 Tasks, Calendar, Mail, SharePoint Online, Power BI, Dynamics 365, etc.
- In previous versions, the login screen for CampusNexus Portal appeared on a page hosted within Portal. This method is not a best practice for SSO, and the new process of redirection to the login page is described above.
- Multi-campus institutions can still use the same instance of the CampusNexus Portal, each campus with their own URL and branding.
- Multi-campus institutions will have a common URL for the STS, each campus with their own branding.
Additional Technical Details
When hosting in CampusNexus Cloud, Azure Active Directory (AAD) plays the role as the STS. Azure Active Directory Connect integrates your on-premises directories with AAD allowing you to provide a common identity for your users for on-premises applications, CampusNexus, Office 365, and SaaS applications.
When hosting on-premises, IdentityServer plays the role as the STS. IdentityServer integrates with your directories allowing you to provide a common identity for your users for on-premises applications, including CampusNexus.