Single Sign-On

Refer to this Wikipedia article for background information about Single Sign-On.

Shift iQ supports three industry-standard mechanisms for SSO:

1. Azure (Office 365)

2. Google

3. Learning Tools Interoperability (LTI)

We do not implement or support custom SSO mechanisms due to the potential security and privacy risks associated with them.

Learning Tools Interoperability (LTI)

Here are some additional details for using LTI for SSI with the Shift iQ platform.

While LTI is not primarily designed as a SSO mechanism, some of the data it passes in a launch request is about the user. LTI works on the basis of a trust relationship between systems, which is established by means of a key and a secret. This makes it much simpler than providing access to a common identity server.

In LTI, a user is authenticated by a primary system and then can be passed to another system (internal or external) by way of a signed launch message. The system that receives this message verifies its authenticity by inspecting its digital signature, and then implicitly trusting the data it carries; thereby eliminating the need to authenticate the user a second time or reconfirm the user’s identity.

This approach makes LTI a low-cost option for implementing SSO between systems.

Refer to this article for details: LTI as a SSO Mechanism

An LTI launch message submitted for SSO access to Shift iQ looks something like this:

The LTI Launch message is signed with a secure digital signature, using HMAC-SHA1 or HMAC-SHA256, with a secret key that is shared between the two systems.

When Shift iQ receives this message from a user’s web browser, it validates the signature on the message to confirm it is a legitimate interoperability request from an authorized external system.

If request is valid, then Shift iQ authenticates the learner and navigates to the requested course in the Shift iQ Learning Portal.