This is a story of “All for one, and one for all.” It has at least one hero with a vision; a digital dragon of unknown size to be handled; and, after a bit of suspense, a happy ending for all.
Just like higher education, schools and districts have learned that standardizing and centralizing access to networks and online services through single sign-on (SSO) makes life richer, more convenient, more equitable, more secure, and much more efficient. Teachers who pioneered the use of ArcGIS Online for organizations (orgs) got used to creating individual logins and passwords and handling a number of students (and teachers) needing resets. But as SSO expands generally across K–12 instruction, it is gaining big fans among GIS users.
In his first year of using ArcGIS Online, Matt Winbigler was technology coordinator for Cloquet Middle School in Minnesota. He set up individual logins for a few hundred students and teachers, worked through the steps, and was impressed with the students’ work. The next year, he expanded to 1,000 accounts. In his third year, Matt shifted back to teaching but still handled the logins. He loved teaching with ArcGIS Online, and he put up with the extra time spent managing these logins and the irritation they generated. But in fall 2018, after having worked with the school technician to integrate ArcGIS Online with Google for SSO, he sent the following email: “Drum roll . . . The integration is complete, and have tested one student and it worked perfectly! Will hit in bulk next week!” And two weeks later: “Man, I am NEVER going back! SSO saved me one entire instruction day in the first day alone. Each year, I’ve had to spend our first day of ArcGIS Online doing user names, passwords, security questions, profiles, and sign-ins with the kids. This year [with SSO] was two clicks by each kid, and Google made their account, and they were in . . . done!” (Actually, ArcGIS Online made the account, after Google communicated that the student with user name “X” was approved to enter, but the enthusiasm over the result was more important than nailing the technical details happening behind the curtain.)
Bottom line? It is vastly easier to get more students (and thus teachers) signed in to the org so the GIS learning carries on throughout the year and from one year to the next. And it can work as well remotely as in the classroom, on any device through which users can sign in to the school network. With no special login or password to remember and just a basic click sequence to follow, problems getting into the org plummet, which means teachers’ willingness to rely on it rises.
Once in place, districts can serve from one to hundreds of sites with a single license, multiplying the benefits above while reducing the overall management required. With carefully designed naming schemes in a multischool license, students and teachers can retain their same account from one school to the next within the district. Integrating ArcGIS Online with the district SSO does take a bit of technical work, depending on the technology in place, patterns established, and security protocols followed. But so far, we don’t know of a site that was unable to establish the connection.
My teammate Tom Baker and I met online with Matt and his rising seventh-grade daughter Elsa for a demo of their process. Matt was in his classroom, Elsa out in the hall, where her Chromebook picked up the Wi-Fi better.
Matt: Have you ever used ArcGIS Online?
Elsa: Um, n-n-n-o-o.
Matt: And that’s why we want you to demonstrate this.
Matt signed in and showed existing accounts in the org, searching on “winbigler,” and found two: Matt and his first daughter, a rising 9th grader.
Matt: Just last week, the tech team reset the SSO and then set up so this year, all 5th–12th graders could use it. Originally, it had been just 7th and 8th graders who had accounts. Then we added 9th grade last year when I moved to the high school. Then we started getting all these requests for high school students who might be new and were doing special projects, and then the business teacher wanted to do some, and then another science teacher. So this will be the first test of the new SSO configuration. And this is the screen I would show my students . . . five simple steps . . . we would have it in our learning management system, because of the hyperlink, and also on the front board. So, Elsa, now you share your screen, and show us what it looks like as you go through it.
Esri: And, Elsa, if you can’t see those steps because you’re sharing, it says, Go to cloquet.maps.arcgis.com . . . good . . . then it says to Click Sign In . . . and step 3 says, Click Cloquet High School. . . .
Matt: And we’ve got to rename that blue button now.
And by the time Matt finished that two-second sentence, Elsa’s screen showed her account in place.
Esri: And there she is! Oh, . . . and now she’s already tweaking her profile. That’s one of those things that some schools want and some schools do not.
Matt: OK, Elsa, hit the word Map at the top of the screen, and you get to choose which Map Viewer to use, and now you get to click and explore for a few minutes while we talk process.
Matt: So we let students have the choice about identifying themselves, and they use a bunch of SSO apps, so we like to make things easy. Meanwhile, let me show my screen again . . . here you can see what it was a minute ago, just two of us, and now if I just refresh, we have three, with Elsa’s name up at the top. And now we can go into the org’s security settings, and you can see that we let students make some decisions about what information they let people see, but we talk with them about this. It fits within the rules our school has set up.
Esri: How do you handle teacher accounts?
Matt: I create a manual account for them, and they control their password and account. Occasionally I have to go in and do a password reset for them, but that’s uncommon.
Esri: So how would other teachers describe using ArcGIS Online through the SSO?
Matt: What SSO did was immediately break down barriers that would turn people off using ArcGIS Online. One thing that is a huge inhibitor for people is having to create user names and passwords. When the teacher has to be the gatekeeper and the troubleshooter, that just stops people. But now with SSO, instead of a daylong training about how to create accounts for your class, it’s a 60-second conversation. And now that Elsa has signed in, and this would be true for everyone else, too, if that’s their Chromebook—now that she’s signed in, it’s going to remember her and just be that much faster.
Esri: Have you tried using a mobile device? And would student mobile devices be able to sign on?
Matt: Absolutely. We do data collection activities. The one possible extra step with student devices is if they are already signed in to a personal account or something, their device might want to autofill login info. So if they grab their personal device, they just need to know they may need to sign out first and then sign in with their school account.
Matt: And one more big thing that you guys have handled, which the tech team asked about—they were worried about numbers of logins and if there was a cap. I said we have several thousand logins, and if ever we needed more, for some reason, you would just provide them. So that just did away with another barrier. We have about 800 in the middle school and 800 in the high school, plus all our teachers. We have two elementary schools but haven’t yet encouraged them to sign in but could. And SSO just makes it all so easy. Back when I was teaching and setting up accounts, it just would have taken so much time to do this for everyone. You know, there’s another tool we use that is a great tool, but they just don’t do school logins well. I have to create pages of instructions with screenshots for that software because its initial sign-in workflow has traps that take people down the wrong way, and once they’ve done that, there is no escape without getting tech support. ArcGIS is very straightforward, and SSO just eliminates problems and just lets us teach.
Across the USA (and around the world through Esri distributors), Esri offers to schools and districts a powerful but easy-to-use package of software, at no cost for instructional use. Single sign-on makes it easy for a single school or an entire district (or even a small state) to provide access to all students and all teachers. To make the best use of precious time and facilitate collaboration, districts should look carefully at using a single license for the entire district. “All for one, and one for all” is indeed a noble goal and a worthy motto for many situations, including for boosting instruction, improving efficiency, and promoting equity—all in a single stroke—with ArcGIS Online.
Best Practices with Single Sign-On
Here are some best practices for bringing ArcGIS into schools via SSO:
1. Study these resources for guidance on SSO in schools and links to specific info for different technologies:
- esriurl.com/agoorgsforschools
- esriurl.com/k12sso
- doc.arcgis.com/en/arcgis-online/administer/saml-logins
2. Teachers who manage an ArcGIS Online org for a school or district must talk with the school or district tech staff and get their help on design and implementation. Integrating with an SSO requires some background knowledge and technical details most teachers lack.
3. Under SSO, new users are always assigned the org’s new member default settings, so plan carefully the default user type, role, licenses, groups, and other settings.
4. New users requiring a configuration different from the default will need to be shifted after entry. Depending on the complexity of the conversion, this can be done either manually or in bulk using the ArcGIS Online built-in tools or third-party tools or with a script. Contact schools@esri.com for assistance on the process.
5. Design user names that follow a standard format but are unique. To maximize student data security, use no personally identifiable information (PII) of students, such as “ab2398765.<OrgURLprefix>,” where “ab” could be student initials, “23” could be the expected graduation year, “98765” could be the last five digits of the student’s information system number, and “<OrgURLprefix>” is the start of the school or district org web address.
6. An ArcGIS Online org can only integrate with a single identity provider (IdP). If one IdP serves all students and all teachers in a district, the teachers could follow the student process. If teachers are on a separate IdP, they need to be given a manual ArcGIS login/password.
7. User names for teachers could be like “MsLastnameFirstinitial.<OrgURLprefix>” and set up as a traditional ArcGIS login/password style, since even under SSO, most will need a configuration fundamentally different from the new member default.
8. SSO and ArcGIS login/password approaches can coexist harmoniously in a single org. Admins should always have an ArcGIS login/password-style administrator account to ensure access in case of technical issues with an SSO process. Existing orgs that are not SSO based can add SSO, and orgs that are almost exclusively SSO based can add ArcGIS login/password accounts.
9. Except for admins, it is ideal for each user to have only one login. If adding SSO to an org that already has members with ArcGIS login/password-style accounts, preexisting account holders (such as, for example, {UserPat}) who follow SSO directions will receive a new default account. A script process can help an admin shift preexisting content, groups, licenses, and personal settings (user type, role, profile, etc.) from {UserPat’s non-SSO login} to {UserPat’s SSO login} and disable the non-SSO login in preparation for eventual deletion. Contact schools@esri.com for assistance.
Explore these steps to implement single sign-on.
