This section deals with issues that relate to user and device authentication to the network and network / online resources. It's a section of it's own right as these issues cut across devices, cloud, and network infrastructure.
Some of the assumptions around authentication Include:
- Schools provide and manage student identity data (we source these from the SMS/directory services)
- Schools provide and manage staff identity data (it's not clear whether these are managed manually or automated)
- We do not manage any other identities (parents/whanau, community, etc.)
- We avoid unnecessary identity replication, i.e. shadow identity data into Google Apps, but nowhere else
- We shadow only the elements of identity required for operational purposes, rather than a "complete" student or staff identity
- We aim to synchronise identity in Google Apps with the source system (SMS or another) close to real-time whenever practical
- We use existing user credentials (so no new passwords)
- We aim to synchronise passwords with the source systems (SMS or directory services) close to real-time when practical
- At the primary level, teachers manage all student passwords and password resets
- At the secondary level, students have the ability to update their own passwords (in the source system)
Infrastructure and admin requirements
- We wish to eliminate school and cluster-level infrastructure requirements
- We wish to reduce or eliminate any administrative overhead associated with authentication
- The identity information is cached through Google Apps, i.e. we rely on synchronisation of identity data into Google Apps, and authenticate using Google's credential store.