Login Upgrade is Model for Other Cloud Projects

When the web single sign-on (SSO) login process changed campus-wide on March 30, you may have noticed the new login and two-step authentication screens, along with changes to some authentication options.

You probably didn’t know, however, that these changes reflect a complex behind-the-scenes move from homegrown software to a standards-based open source product that is now hosted in the cloud. This move makes login more reliable and serves as a model for future cloud projects.

Creating a stronger single sign-on

The project began about 18 months ago, when University IT (UIT) leaders wanted to move to industry-standard web login software to reduce the risk and cost of maintaining our homegrown software.

They also wanted to make login more resilient by using a cloud provider to ensure that the login software was geodiverse, which limits login disruptions caused by local events. To achieve this, a project team was formed with stakeholders from UIT, the School of Medicine, the Graduate School of Business, and elsewhere.

The team worked to replace our custom WebLogin and WebAuth SSO software with the industry standard SAML (Security Assertion Markup Language) protocol Shibboleth software that most peer institutions now use for SSO.

Then, on March 30, the team moved the entire web SSO login infrastructure to the cloud.

Providing benefits for the Stanford community

The project team included members from two UIT teams: the Emerging Technologies team developed the strategy, architecture, and initial implementation of the SAML SSO, and they worked with the Technical Services team to make the new login deployment production-ready.

UIT will use the processes, tools, and architectural patterns from the login project for other cloud migrations, explained Director of Emerging Technologies and UIT Strategist Bruce Vincent.

“This project used a set of foundational tools and reference architectures for others to leverage,” said Vincent.

The code the team used is available on GitLab, and more information about cloud deployments is on the Cloud Transformation website’s Cloud Deployment Resources page.

The login change also delivers other benefits to the university, noted Technical Services Senior Director Toai Vo.

“The Stanford community moved to industry-standard technology, and we don’t have to maintain a lot of customization,” said Vo. “This means we can adapt and move to new technologies and scale them quickly. And because the system is deployed in the cloud, we have no dependency on the campus if there is an earthquake or other disaster.”

Vincent agrees that the login changes have reduced the university’s risk. He is especially glad that the login change rolled out with minimal disruption to the majority of campus.

“It took a whole lot of planning to make that happen,” Vincent said.