How does Callysto keep student and teacher data secure?

By Andrew Klaus, Senior Developer for Cybera

To reinforce the security and privacy of Callysto users’ personal information, we have launched a new authentication feature for the platform. Authentication provides users with a simple access experience to Callysto (and the platform on which Callysto is based, Jupyter), while ensuring users’ login credentials and online identities remain uncompromised.

What does authentication mean?

Authentication is the process of verifying the identity of each individual user — in this case, mainly students and teachers. Authentication is important because it protects Callysto’s networks and systems from unauthorized users and potential external threats, while also protecting the private information of each connected institution (i.e. school district), and the personal identity of each individual user (i.e. student).

How does Callysto’s authentication application work?

Signing onto Callysto’s education platform is a quick and easy process for the user. But behind the scenes, these are the steps taking place:

  1. A user visits the Callysto portal and is asked to login.
  2. Callysto generates a Security Assertion Markup Language (SAML) request. A SAML is the process used by the identity provider and the service provider (in this case, Callysto) to exchange authentication and authorization data.
  3. The user is redirected to Callyto’s new authentication source page, where they choose their education institution, or another identity provider (IdP) (such as Google or Microsoft).Authentication Wecome Page copy
  4. The IdP authenticates the user by asking them to enter their credentials (username and password).Authentication Google Sign In_small
  5. After validating, the IdP generates a SAML response.
  6. The user is directed back to Callysto with the SAML response message, indicating that they have been authenticated.
    • This is where the “ID hashing” of the user takes place. Hashing is a method of encrypting — or disguising — a user’s identifier (usually username or email address) for privacy reasons. The identifier becomes unrecognizable, and therefore cannot be traced back to the user’s personal information. However, other formulaic characteristics attached to the encrypted ID (such as email address) can still be used by the service and identity providers to grant them access to the user.
  7. Callysto validates the response message and gives the user permission to access the Callysto platform.
  8. The user enters and begins using the platform.

Besides security what are the other benefits of using an authentication application?

The authentication application also provides users with a single sign-on feature, eliminating the need to remember multiple passwords for multiple applications. The user can login to Callysto through one of their identity providers (such as a Pika-serviced school district, or Google or Microsoft), and through this login access multiple other applications, without having to re-enter their name and password.

How did Cybera develop the authentication piece?

We wanted a way to maintain as little user data as possible, and also ensure that any information we did acquire could not be used to identify — or be traced back to — a specific individual. We built the new Callysto authentication using a similar technology to what we developed for the Pika Federation, but with an emphasis on privacy.

What is unique about Callysto’s version of this application?

Up until now, there has been no multi-authentication feature in Jupyter, meaning it had simply created separate instances for each authorized post-secondary institution. For example, you could only authenticate with Google OR Microsoft accounts on a single installation, but not both. Because Callysto exists on only one instance of Jupyter, this allows the program to authenticate users from multiple organizations, and securely segregate user data depending on which institution they are accessing from.

Would this application be useful to others (i.e. other Jupyter developers)?

Absolutely! Anyone who wants to allow multiple organizational logins to Jupyter can benefit from this authentication software (SimpleSAMLphp). The software also allows for any number of OpenID Connect or SAML Identity Providers to be attached, which makes it very scalable. The Callysto program code for infrastructure and configuration is open source and available through Github.

Leave a Reply