Configuration Options: Authentication

Configuration Options: Authentication

Synopsis

In Concourse terminology, authentication refers to the way in which your users’ accounts and access to Concourse are verified. Authentication can occur in your institution’s other systems or within Concourse, and the option you choose, related to your institution’s approach to security and data privacy, determines the user experience in Concourse. Your institution can have a mix of internal and external authentication, external authentication only, or internal authentication only. Continue reading for more information to help you choose the right option for your institution.

Key Terms

  1. Internal Authentication: users’ accounts are verified and granted access by Concourse. User passwords are stored in Concourse.
  2. External Authentication: users’ accounts are verified and granted access by your Learning Management System (LMS) or Single Sign-On (SSO) portal. User passwords are not stored in Concourse.
  3. Integration: the way in which Concourse is connected to your institution’s LMS or SSO.
  4. Auto-create: an optional component included in LMS integration that creates Concourse user accounts, registrations, and courses automatically with data from the LMS.
  5. Middleware: a tool that translates data in your institution’s systems to a format that Concourse can consume. Concourse’s middleware partner is Apidapter.
  6. End users: typically students, instructors, and other syllabus managers. End users typically engage with syllabi individually and do not need large-scale access to system data for management or reporting purposes.
  7. High-level users: typically academic leaders (e.g., deans) and IT staff (e.g., LMS admin) who need access to system and user data.

Important to this Decision

Before making decisions about how your institution uses Concourse, you should consider how stakeholders, systems, timelines, and other factors are impacted. Review the important elements below to be better prepared to make changes to your Concourse configuration or implementation.
Key Players
Prior to making this decision, you should consult your institution’s LMS and SSO admins, as well as any IT staff involved with security policies.
Consideration
If users are externally authenticated, your institution’s LMS and/or SSO verify their accounts and passwords; this means that your institution can enforce password requirements and inactivity logouts, and end users don’t need to create an additional account to access their syllabi. If users are internally authenticated, they navigate to your institution’s Concourse environment directly and enter a username and password created and stored in Concourse. For most institutions, the main consideration is account security and access.
Timing
This decision is typically made during the implementation phase, but user accounts can be changed afterward if your institution’s needs change.
Connected Systems & Locations
External authentication occurs in your institution’s Learning Management System and/or Single Sign-On portal. After these systems authenticate users, data is transferred to a middleware adapter in Apidapter and then Concourse so that users can interact with Concourse appropriately for their permissions. 

Internal authentication occurs exclusively in Concourse.
Method
Externally authenticated user accounts are typically auto-created via LMS integration. The auto-create component is added to the institution’s middleware adapter in Apidapter. It is strongly recommended that Concourse’s technical team be involved in any adjustments to your institution’s middleware adapter.

Externally and internally authenticated user accounts may be created manually by System Administrators or via User Feed (See Construct and Process System Data Feeds and locate User Feeds for instructions.). Note that manual account creation only allows the System Admin to create one account at a time. If you wish to create multiple accounts simultaneously, a User Feed must be processed. To create a user account manually:
  1. In the main navigation menu, select Admin > Tools.
  2. On the Tools page, locate Users and select “Manually add one user at a time.”
  3. On the subsequent page, enter the user’s email address and select Add.
  4. In the main navigation menu, select Admin > Users.
  5. Search for the user by their email address.
  6. The new account will appear in search results as “Unknown Name.” Select the link for the account.
  7. On the user account page, select Edit in the Setting block.
  8. On the subsequent page, uncheck Disabled so that the user may access their Concourse account.
  9. Select the appropriate radio button for the type of authentication for the account (external or internal).
  10. Select Save.
Motivation & Impact
Decisions about external versus internal account authentication are largely influenced by your institution’s IT privacy policies and the learning tools you use. If your institution’s IT policies and practices require account and password management at a system level, then externally authenticated accounts are the best option. On the other hand, if your institution does not use a Learning Management System or Single Sign-On portal for managing applications, then internally authenticated accounts might be the better option. Another common practice is to establish most accounts as externally authenticated while a few System Admins and other high-level users have internally authenticated accounts so that they can access the sandbox and production environments without going through the LMS or SSO portal (useful when maintenance downtime occurs).

Configuration Options

The authentication type you choose should be consistent across the user group. In other words, if you determine that end users should be externally authenticated, then all end user accounts should be authenticated in that way; if you determine that System Admins should be internally authenticated, then no System Admins should be externally authenticated. User access and account security can become difficult to support and manage if not all users in a group follow the same entry and data transfer protocols. If the options described below don’t fit your needs, reach out to Client Services for assistance.
  1. Option A: Mix of External and Internal Authentication
  2. Option B: External Authentication
  3. Option C: Internal Authentication
Option A: Mix of External and Internal Authentication
  1. Approach: It is common for institutions to employ external authentication for end users and internal authentication for high-level users. Users who are externally authenticated typically experience Concourse as a smaller portion of the LMS interface (embedded as an iframe). These users select a link in their LMS course shell and land on the specific course’s syllabus in Concourse; here, instructors can edit, and students can view the syllabus. Some institutions create a Concourse gateway course shell in the LMS so that domain users (admins, editors, reporters, and auditors) land on a Concourse dashboard instead of a specific course syllabus; from the Concourse dashboard, these high-level users can search for syllabi to edit, audit, or review. Users who access Concourse via the SSO likewise select a Concourse link and experience Concourse as a smaller portion of the SSO interface. These users land on a Concourse dashboard and are able to search for syllabi to engage with. Internally authenticated users, however, navigate directly to your Concourse site in a web browser. There, they login and arrive on a dashboard where they can search for syllabi or make use of reporting and system data tools.
  2. Better For: This is the most common authentication option used. Institutions that opt to employ a mix of external and internal authentication have the majority of end users access Concourse through the LMS or SSO, while a select few System Admins are able to access Concourse’s sandbox and/or production environment internally. 
  3. Advantages and Disadvantages: Users with internally authenticated accounts are able to access Concourse even when the LMS/SSO is unavailable, which allows for continuous Concourse access. Meanwhile, externally authenticated accounts are verified by your institution’s systems, meaning they are subject to established security protocols. However, since not all users will access or experience Concourse in the same way, training materials must be differentiated to support both authentication types.
  4. Effort: The time investment for creating both externally and internally authenticated user accounts is minimal. Adding a component to the middleware adapter to automatically create externally authenticated users via LMS access takes moments and typically occurs during integration set-up in the implementation process (but can easily be added later). It is possible to process User Feeds automatically to create accounts of either type (or switch authentication type), which also takes minimal time investment.

Option B: External Authentication
  1. Approach: Users who are externally authenticated typically experience Concourse as a smaller portion of the LMS interface (embedded as an iframe). These users select a link in their LMS course shell and land on the course’s syllabus in Concourse; here, instructors can edit, and students can view the syllabus. Some institutions create a Concourse gateway course shell in the LMS so that domain users (admins, editors, reporters, and auditors) land on a Concourse dashboard instead of a specific course syllabus; from the dashboard, these high-level users can search for syllabi to edit, audit, or review. Users who access Concourse via the SSO likewise select a Concourse link and experience Concourse as a smaller portion of the SSO interface. These users land on a Concourse dashboard and are able to search for syllabi to engage with. 
  2. Better For: This option is used most often by institutions whose security policies require all learning tools be accessed via institutional systems to manage accounts and support the user experience uniformly.
  3. Advantages and Disadvantages: If all users are externally authenticated, then all users access and experience Concourse the same way; as a result, this part of Concourse training is uniform regardless of the user’s role. Likewise, all user accounts are verified by your institution’s systems, meaning they are subject to established security protocols. However, if your LMS or SSO portal experience an outage, then users are not able to access Concourse directly–even System Admins.
  4. Effort: The time investment for creating externally authenticated accounts is minimal. Adding a component to the middleware adapter to automatically create externally authenticated users via LMS access takes moments and typically occurs during integration set-up in the implementation process (but can easily be added later). User Feeds can be automated to create externally authenticated accounts with minimal time investment.
Option C: Internal Authentication
  1. Approach: Internally authenticated users navigate directly to your Concourse site in a web browser; Concourse presents in a full-screen experience rather than as a smaller window in another site. On the Concourse site, users login and arrive on a dashboard where they can search for syllabi.
  2. Better For: This option is used most often by institutions that do not use an LMS or SSO; in these cases, end users must be trained extensively on search functionality to find correct syllabi. This option is also used by institutions that use Concourse as a repository for syllabi but do not expect end users to edit or view syllabi in Concourse. 
  3. Advantages and Disadvantages:  If all users are internally authenticated, then all users access and experience Concourse the same way; as a result, this part of Concourse training is uniform regardless of the user’s role. Additionally, users with internally authenticated accounts are able to access Concourse even when the LMS/SSO is unavailable, which allows for continuous access. However, internally authenticated account passwords are stored in Concourse; as a result, your institution’s requirements and protocols for password security cannot be enforced, leaving internally authenticated accounts more vulnerable to security risks.
  4. Effort: User Feeds can be automated to create internally authenticated accounts. Using a job scheduler, automated feeds can be processed as frequently as your institution needs without staff intervention.

Post-Decision Changes

Your institution’s needs may change over time and you may need to make changes to your configuration settings. In other words, the configuration decisions you make during the implementation phase might not be as efficient five or ten years afterward. Review the guidance below to better understand the effort involved in changing this particular decision and how it may affect your Concourse system or deployment in the future.
Switching from External to Internal Authentication
  1. Update existing user accounts by processing a User Feed that identifies all existing users as internal (e.g., set the last data field in every line of the feed row to 1). If you do not currently have user data compiled in a feed file, a User Report can be generated to collect this data.
  2. Adjust all training materials and instructions to reflect the new access point and user experience. Note that users will need to be trained on search functionality to find correct syllabi since they will no longer land on a specific course syllabus; additional support may be needed to help faculty share their syllabi with students. Socialize this information broadly to minimize help tickets.
  3. Let end users know that Concourse links in previous LMS course shells or the SSO portal will not allow access; users must access Concourse through the new entry point or they will receive an error. If possible, remove or hide Concourse links in previous LMS course shells to reduce confusion and help tickets.
  4. Confer with Concourse staff to determine when and if your middleware adapter can be deprecated.

Switching from Internal to External Authentication
  1. Update existing user accounts by processing a User Feed that identifies all existing users as external (e.g., set the last data field in every line of the feed row to 0). If you do not currently have user data compiled in a feed file, a User Report can be generated to collect this data.
  2. Meet with Concourse staff to create an LMS or SSO integration to support the new access point; your LMS/SSO admin must be in attendance for set-up and testing purposes.
  3. Adjust all training materials and instructions to reflect the new access point and user experience. Note that instructors may need instructions on adding Concourse links to their course shells if your instructional support staff will not automate this function. Socialize this information broadly to minimize help tickets.
  4. Let end users know that logging into Concourse directly will now present an error; users must access Concourse through the LMS or SSO.

Related Topics

Before making a decision about external vs. internal authentication, you should be familiar with some related issues and contexts. See the following articles for more information:
  1. You can quickly change user account types by processing a User Feed. For more information, see Construct and Process System Data Feeds.
  2. Learn more about the typical access points for Concourse and how different user types can engage with Concourse.
  3. Learn more about integrating Concourse with your systems. For instructions on integrating Concourse with your LMS, check out our help articles on integrating Concourse with Blackboard, Canvas, D2L/Brightspace, and Moodle. For information about SSO integration, see Single Sign-On (SSO) Support.

Tell Us About Your Experience

Did this article answer your question? If you made a decision like this for your Concourse instance, let us know how it turned out. If we missed something in this article or if you have a question that isn’t addressed in our Knowledge Base, let us know how we can help by reaching out to support@campusconcourse.com


    • Related Articles

    • Configuration Options: System/User Permissions

      Synopsis Concourse provides many permission types so that your system can be administered in the method that works best for your institution. You can set permissions from the syllabus level to the domain level to the system level. Individuals ...

    • Configuration Options: Enabling Course Files

      Synopsis The Files feature allows users to upload artifacts to courses in Concourse; any file type can be uploaded, including documents and images, with the limit of 100MB of storage per course. This feature is not intended to substitute for files ...

    • Configuration Options: Enabling Curriculum Vitae

      Synopsis The Curriculum Vitae (CV) feature allows registered users in your system to add CV content to their Concourse profiles. Users can add content to three rich text fields on their account pages: Education Experience Publications When selected ...

    • Configuration Options: Sharing Syllabi with Non-registered Users

      Synopsis Users are registered to courses in Concourse based on their roles in the associated Learning Management System course (e.g., instructor, student, assistant); those users can then view and/or edit each syllabus item based on their group’s ...

    • Configuration Options: The Notifications Feature

      Synopsis The Notifications feature allows users with an editing role in a course to notify registered users, such as students, assistants, developers, and managers, via email when syllabus content is changed. Notifications are sent from ...