"OneLogin is a great product. We're very happy with it. The integration with SAML-enabled applications is, in my experience, flawless."
Because students move all the time—leaving classes, entering new classes, while substitute teachers come and go, the Technology and Data Services department at the San José Unified School District (SJUSD) is accustomed to change.
Serving more than 35,000 students, faculty and staff in Northern California’s largest city, the department manages almost daily changes to faculty and student rosters.
“In a school environment, you have a large percentage of users leaving every single year. All of a sudden you just lose 3,000 users, and then add another 3,000 a few months later. It doesn’t happen in any other organization,” says Patrick Scanlan, Supervisor in Technology and Data Services at SJUSD.
Challenge
When SJUSD transitioned to Microsoft Outlook, it lost its file storage option, which offered messaging and collaboration, but on an outdated platform. So the district started its search for a cloud storage file sharing platform that would allow collaboration.
“Because we're a school district, we have a daily issue with many users about managing or even remembering usernames and passwords. So we needed something that was completely deployable from the admin side, based on what's already in our directory,” says Scanlan.
“The hardest part is managing user accounts. With as many staff and students as we have, provisioning users ahead of time was definitely a requirement,” states Scanlan. It needed to integrate with Active Directory (AD), and to create student user accounts without an email. Students are given logins, and access to online platforms, but they do not have a district-provided email account.
Solution
“The District chose Box as the storage solution, because they had the enterprise tools and the back-end admin capabilities that we needed to manage an organization of our size. And when it came to user provisioning, Box suggested OneLogin as the solution for that,” says Scanlan.
Leveraging the robust provisioning integration between OneLogin and Box, SJUSD set up rules for users and groups based on AD user fields such as grade level and site location as well as custom attributes, then utilizes mappings to automate app access. This helped streamline the provisioning process, while end users benefit from the simplicity of a single app portal. “As we used OneLogin more and more, from the admin side, we really liked the features we saw. We wanted a single sign-on portal for our users, where they could see all of the applications available to them, and they could just click,” comments Scanlan.
When staff and students are loaded into the student information system or HR system, their user accounts are created in AD, then additional accounts are created based on that. When a new staff member is setup in HR, their AD account gets created automatically, which in turn provisions their Box account, all through OneLogin. This all happens securely and instantaneously via Active Directory Connector (ADC) change notifications. Students all have Box accounts, as well as Google accounts for Drive and Classroom, which are all preloaded in their OneLogin accounts. Other cloud apps at SJUSD include Qualtrics, Web Helpdesk and Envoy.
Results
“The impact with OneLogin has been a lot less user and password management. The greatest compliment I can give is that the use of this product and its features, and how easy it is to integrate, has given people in my department more of their time back to take care of other more interesting and productive things. The fact that we're not managing users any more at the lower levels is amazing,” says Scanlan.
SAML Saves
“Deploying a new SAML-based app takes less than an hour to get the connections set up both ways. For apps that don't support SAML yet, we still were able to find a solution. OneLogin has an extensive form-filling tool that enables us to create a connector for login pages or products that don't support back-end directory syncing features yet. That has been a godsend, too,” states Scanlan.
“When we're choosing a new program, and that department comes and asks, ‘Should we choose this product?’ one of our first questions is, “Does it integrate with Active Directory or do they have SAML support?’ If the answer is, ‘No,’ then we tell them they're going to take on a huge amount of work, managing usernames and passwords with manually-uploaded spreadsheets,” advises Scanlan.
“OneLogin is a great product. We're very, very happy with it. The integration with SAML-enabled applications is, in my experience, flawless. We only have five or six SAML-enabled apps right now, but for those that get used a lot, it's a saving grace for us,” comments Scanlan.
Onboarding New Apps
“Our job is helping people who aren't comfortable with technology actually try some of these really cool things that we have, and OneLogin is one of those new cool things that we're trying to get people to use.
One of the biggest benefits we've seen is the ability to test out or onboard new programs. It’s so much easier than it used to be. Because OneLogin has a fully-developed web connector, we can make a login work, and support new app pilots. We build it, create a group or a role in OneLogin, give them access, then they try it. If it doesn't work out, it's easy for us to pull the tile away and we're done. If they decide to purchase it and fully roll it out, we use the same solution,” says Scanlan.
“Security is another benefit, knowing that our users have something that is fully encrypted, tied to our directory, and it's safe,” comments Scanlan.
Customization, Admin Control and Self-Service
“Customized branding has really helped our ability to fully brand our portal and support our users. Our login page help links take them to us, the email link goes to our support helpdesk. We're able to help our users get access themselves--before they contact the helpdesk. They're able to solve their own problem before requesting help. With the OneLogin platform, all of that is within our control,” states Scanlan.
“With some vendors, we have to fight for a single error message on the login page to instruct users who get stuck. Because otherwise, they have nowhere to go, and no clue. We can go into our admin console, we can customize all of that on our own --we don't have to call anybody, we don't have to send an email,we don't have to do any of that. It's dead nuts simple,” comments Scanlan.
“Our user feedback on OneLogin has been that it's easy to use. Our department can't appreciate anything more when it comes to choosing a product, when our end users tell us that they like that product. They think it's easy to use, and it always works,” says Scanlan.
About OneLogin, Inc.
Because students move all the time—leaving classes, entering new classes, while substitute teachers come and go, the Technology and Data Services department at the San José Unified School District (SJUSD) is accustomed to change.
Serving more than 35,000 students, faculty and staff in Northern California’s largest city, the department manages almost daily changes to faculty and student rosters.
“In a school environment, you have a large percentage of users leaving every single year. All of a sudden you just lose 3,000 users, and then add another 3,000 a few months later. It doesn’t happen in any other organization,” says Patrick Scanlan, Supervisor in Technology and Data Services at SJUSD.