Learning Management Systems (LMS) such as Moodle provide the students with an interactive virtual learning environment adapted to their needs. Numerous features are often included by default, such as course registration, course material sharing, or direct interactions with students. However, other learning features may be added to the LMS as third party agents. TeSLA will be one such agent, integrated to existing LMS in order to add the possibility for students to take assessments online. To do so, the student identity managed by the LMS must be seamlessly and securely linked to the identity in use in the context of third party agents.
A single student may have several digital identities. The first one is provided by the university itself, where the student is registered with his first and last names, date of birth, and photography. When the user accesses the online university services, a direct mapping is performed between his login and his personal data. However, when the learning services do not belong to the university, the student may have to make use of other digital identities needed to authenticate to these services. Since these identities all refer to the same student, they cannot be decorrelated.
Several solutions exist to reduce the need for various credentials and refer to only one identity. The first one consists in adding third party services as plug-ins to the LMS, and forwarding the necessary personal data to the services, based on the identity in use in the LMS. This is made possible thanks to the Learning Tools Interoperability (LTI) standard. A trust relationship is established between the LMS and the third party with a shared secret that ensures the security of exchanges based on the OAuth 1.0 standard.
The second solution, which is adapted to the case of third party services built independently from the LMS, consists in relying on identity federation, implemented in several standards such as OpenID, SAML, or Shibboleth. Identity federation consists in delegating authentication to an identity provider. The user who wishes to access a service provider is redirected to the identity provider for authentication, where an authorization token is generated to certify the authentication success. This token is then transmitted to the service provider, which allows the user to be regarded as authenticated. If TeSLA is built as a standalone server, authentication can be managed with identity federation, where the university can act as the identity provider.
While the above standards provide the technological basis to link the student’s identity with the TeSLA agent, specific attention should be paid to privacy issues. The personal data associated to one’s identity must be carefully managed during the association between the involved entities, in order to avoid the dissemination of private information. The TeSLA agent, for example, does not need to know everything about the student, such as date of birth or passport number. In order to make it possible for the student to take assessments without displaying his/her name, the information transmitted to TeSLA must be reduced as much as possible.
Integrating a relevant and secure identity management framework for TeSLA is part of the technical challenges that arise at an early stage of the development process, in order to design a robust architecture in which security issues are addressed beforehand.
Christophe Kiennert, IMT and TeSLA project contributor
FUNDED BY THE EUROPEAN UNION
TeSLA is not responsible for any contents linked or referred to from these pages. It does not associate or identify itself with the content of third parties to which it refers via a link. Furthermore TESLA is not liable for any postings or messages published by users of discussion boards, guest books or mailing lists provided on its page. We have no control over the nature, content and availability of any links that may appear on our site. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
TeSLA is coordinated by Universitat Oberta de Catalunya (UOC) and funded by the European Commission’s Horizon 2020 ICT Programme. This website reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein.