It is important to make the login experience as simple and as fast as possible for students. This is equally true on Chromebooks as it is on traditional PC’s. There is a balance that is necessary between the desires of the Technology department and the Teacher in the classroom with students. When finding the right balance for your district it is important to consider both sides and understand the challenges that come with compromise.
Not that long ago, most classrooms were only using PC’s. To simplify the login process for students and make classroom management easier for teachers, generic or classroom accounts were used. (I.e. All pc’s in room 205 would login as rm205 or something similar) This practice had its own issues, but was streamlined the classroom experience.
This practice was mostly made obsolete with the onset of Google Apps for Education (now G-Suite) and other online content that needed to be correlated back to an individual student. To simplify the creation and maintenance of student’s accounts in G Suite, Google provides tools like “Google Cloud Directory Sync” to keep Google in sync with your local LDAP directory. This handles adds, changes and deletes and supports Microsoft Active Directory, Micro Focus eDirectory or other LDAP compliant directories. This dramatically reduces the maintenance tasks for the technology staff.
An important element of this process is setting the initial password for a user and maintaining it in a way that is simple and easy for teachers. Google also provide a tool named “G Suite Password Sync”. This tool can automatically synchronize the password from your local directory to Google. This isn’t a Single Sign On solution, but can be a step in the right direction for SSO. It does simplify the process for teachers because it is the same username and password for both systems.
There are caveats to this process that are important to understand. Some of them have serious security ramifications and risks. G Suite Password Sync relies on the fact that when a password is being changed, it is visible in its unencrypted form for a fraction of a second. In this moment, it is captured so that it can be used to synchronize to Google. This means that to sync the passwords, it must be changed. This can be challenging on a large scale if it must be done for the entire student population.
There are alternative solutions that have their own issues. You can use Google Cloud Directory Sync to sync the password on creation. To do this, you have several options, but you must store the password in an attribute of the user object and then tell Google to use that value when it synchronizes to Google. You can store it in clear text, or using SHA1 or MD5 encryption. Storing the password in clear text is simple and easy, but as one local school district learned, can be easily exploited by anyone using a simple LDAP browser tool. Storing the password in an encrypted format is much better. These passwords may still be able to be compromised, but it takes more work, more sophisticated tools and malicious intent to get the same results.
Student Provisioning Services automatically creates all passwords following the districts standard, but calculates the SHA1 password and stores it in an attribute to be used by Google Cloud Directory Sync. This is a more secure solution and this also allows the password to be synchronized on creation. The user doesn’t have to wait until they change their password in the local directory before their Google password works properly. It all happens automatically so nobody must touch the account. It is just ready for the student to login without anyone having to do anything.
These details with password synchronization also cause districts to do things like not allow students to change their password. This is convenient for staff, but makes it easy for other students to figure out other student’s passwords and cause mischief with each other. It is most common to set passwords for elementary students and not require them to change it, or even not allow them to change it. This is ok for this age group, but is generally not recommended for Middle School and High School students. They should be encouraged to change their passwords because this is what the business world will expect of them.
Looking to take the hassle out of Student Provisioning?