Single-sign-on (SSO) for teachers and students is becoming a must-have feature for online learning platforms. SSO is a great way to get users into your platform quickly and easily, without having to spend the development or support time typically associated with users authenticating through the traditional email and password setup.
There are a variety of different SSO providers that schools will commonly request, and they come with a number of different pitfalls. In this article, however, we'll just focus on one common issue that we see quite often:
When a user authenticates using SSO (e.g. Sign in With Google), the learning platform will try to match their Google email address against an email address that is stored in their database. If a match is found, the platform will then log in the user with the matching account.
So What's the Problem?
This method doesn't sound too crazy - what's the problem? The problem is that you cannot trust the email address provided to you by most learning management systems and school data sources.
What does this mean exactly? Most learning management systems (LMS) and student information systems (SIS) allow administrators, or even users themselves, to set an email address for their account. Very often, this email address remains totally unverified. Your account is now effectively tied to that email address only because you said it was.
When you sign into an online learning platform using your Canvas account (for example), Canvas informs the platform of your email address. This address could be legitimate, or it could be an attacker trying to gain access to another user's account.
What are the Implications?
The implications are quite serious, actually. A malicious user with access to any sort of Canvas, Classlink, Blackboard (etc.) instance could set their email address to be anything. Their own, their friend's, their teacher's, even yours - anything at all. Once they sign into your platform with this LMS account, they'll actually be logged in as the user whose email address they've impersonated.
Depending on how your platform works, this could expose you to any number of security risks from students modifying their own grades, to malicious users even gaining school or product-level administrative access.
LTI® Launches Are Also Vulnerable
If you use LTI launch for users to access your product, you may be vulnerable to this type of attack as well. Again, the LMS is only providing you with the email address that it knows for the user. It's not guaranteeing that they actually own this email address.
If you are looking at the provided email address during the LTI launch phase, you are susceptible to this attack. Any user impersonating someone else (by telling the LMS that they have a different email address) will be able to instantly log into their target's account.
SIS Integration Platforms Are Vulnerable Too
SIS integration platforms like Clever, Classlink, and GG4L are also potentially vulnerable to this issue. While you cannot necessarily change data from within these platforms themselves (depends on the platform), they are simply passing through data from the SISs that they are connected to. In a sense, they are trusting the SIS to provide accurate data - which makes them as vulnerable as their weakest SIS link. It is unlikely that most SISs verify users' email addresses, so this is probably an issue that affects all SIS providers.
To sum that up, just because you may be able to trust Clever to provide you with a user's email address, doesn't guarantee that the email address was accurate in the first place.
Does This Affect Google SSO?
Probably not. Business SSO providers like Google or Microsoft are reliable to a larger extent because they do typically require some sort of email ownership verification. Although we still do not recommend using email matching, it can be much safer if are only implementing sign on with major email providers.
Why This Issue Is So Prevalent
SSO in education is still an up-and-coming phenomenon. Prior to this wave of user experience innovation, there was only email and password authentication. Developers and product managers can sometimes take it for granted that an email address truly belongs to the person who uses it to sign in.
When you first implement SSO, it's easy to overlook this problem and assume that the LMS or SIS providers are conducting the same security checks. However, this is not the case right now, and it is unlikely to change.
Another fact that developers often overlook is that many LMS platforms can be entirely self-hosted. You can jump over into Canvas' GitHub repository right now and have your very own Canvas instance up-and-running by tomorrow.
Patching This Security Hole
The short answer is: don't rely on email address to match users in your database. Treat email address like a person's first name - just another attribute about the person that you're storing.
What you should look for instead is the user's LMS ID, in conjunction with some identifier that represents the system they're coming from. For example, you might store a user's Canvas ID joined with the ID of the Canvas instance itself.
At Edlink, we address this problem for our partners by providing a UUID for each user account. Clients rely on this ID to authenticate incoming users, instead of looking at the email address. This ID is stable and it does not run the risk of overlapping with a malicious user coming from a different LMS.
We Can Help
If this sounds like something you really don't want to deal with, drop us a line. Solutions to this problem are challenging, especially when schools use so many different SSO providers that have varying levels of reliability.
Connecting to various LMS and SIS providers to help learning platforms integrate is pretty much we do all day (and we're quite good at it). Want to connect with platforms like G Suite, Microsoft, Canvas, Schoology, Blackboard, Clever, Classlink, and more? Here's where we can help:
- Add SSO functionality to your application
- Sync user or district level roster data
- Create and retrieve assignments in the LMS
- Sync grades back to the LMS gradebook
Thanks for reading!
Learning Tools Interoperability® (LTI®) is a trademark of the IMS Global Learning Consortium, Inc. (www.imsglobal.org)