none
Student in Active Directory? RRS feed

  • Question

  • Me and some team members are planning and proptotyping our next version of our educational software.
    This software mainly relates to students and nothing else (ie, grades, behavior, etc), so until now we've been storing students in a sql database.
    Thanks to the good response of our client, we've decided to do a new version written from scratch ( we were very young back then and we didn't used ANY design patterns, so zero reusability).

    In this new version, the students will have a more active role in the system, and the software will expand to the diferent offices on the school/university like accounting through diferent types of smart clients options.
     
    So my question is if I should keep the students in my database, or switch to the active directory.
    please, I need Pros and Cons, and if they do sit on AD, how should I manage student history.

    By the way, we are trying to expand the software with a read-only Internet version, for reviews of homework and grades and I've heard of project Geneva and the use of CardSpace, can someone also explain about this please.
    and thank you very much 


    VS2005STD
    Sunday, June 14, 2009 1:56 AM

Answers

  • Hi

    Identity management is a bit of a tough nut to crack, and as usual, the answer basically boils down to: it depends on your requirements

    So I'm guessing that you have the following requirements:
    - store the users and the roles per user.
    - easy creation of new identities in the system
    - internet access
    - role based security (different user, different access level, etc)
    - ...

    These are generic requiements that you can do with both the AD and the membership system.
    Question then becomes why you would choose one over the other:

    - AD will give you an enterprise level solution, in that all the users of the system are in a domain..
      this is a big plus if you are considering single sign on scenarios, offering email (exchange ) to every student, sharepoint access for uploading / downloading content, etc
      Membership administration is done using the standard tools available.. 
     
      Student history could be managed based on the login of the user (if that login is guaranteed to be unique in time eg: student number) or the SID of an account
      (a sort of active directory primary key), which is sadly not very humanly readable (it's a guid).  
      Or, you might store the SID in a table which correlates the SID with you student id.

      Internet access is possible, but would require a ISA server...
      This would allow your users to pass in their windows credentials after which the requests are handled as if the user were logged on onto the domain.
     
    - (ASP.net) membership system
       The ASP.net membership system is also a valid possibility, althought there single sign on can be somewhat challenging to implement.
       Here you'll have forms security versus the windows integrated security if your users were in AD.
       Basically here the biggest plus is flexibility it offers, you can for instance create your own database to implement the membership providers and so on...

       History management can be done based on a user id (which correlates nicely to the student id).

       Internet access is possible, and less complicated that it's windows counterpart.

    - Claims based security is federated identity management, which doesn't really apply here I think..
      In claims based security access to a resource is limited to a user which can provide the correct claims.
      The power of federated identity management is that the validation of the claims need not be done by the resource itself,
      but can be provided by a third party.  So unless you have a third party which you trust to identify you users...

    I hope this answers some of your questions..
    In any case, can you shed some more light on what your exact requirements are?
     
    KR

    Frederik
    Please close the thread if your question is answered, and don't forget to rate the best responses!
    • Marked as answer by freddyccix Wednesday, June 17, 2009 5:27 PM
    Monday, June 15, 2009 9:17 PM
  • Hi

    To me a hybrid system (supporting both windows and form authentication) will probably be best.
    You'll probably want to have some seperation in the front ends, ie having a site which you can use with AD authentication (for teachers, directors, students) and a form based site (parents).

    One thing to note here is that you'll probably want to create  student records based on student id (some number you have),
    which would allow you to match a windows user name to a record int the database.
    If you have multiple institutes in your solution, it might become difficult to manage that (as logins need to be unique). 
    Perhaps you might be looking at different domains / installations per institute, prefixes for logins,...

    Hope this answers your questions :)

    KR

    Frederik
    Please close the thread if your question is answered, and don't forget to rate the best responses!
    • Marked as answer by freddyccix Wednesday, June 17, 2009 5:27 PM
    Wednesday, June 17, 2009 7:33 AM

All replies

  • Hi

    Identity management is a bit of a tough nut to crack, and as usual, the answer basically boils down to: it depends on your requirements

    So I'm guessing that you have the following requirements:
    - store the users and the roles per user.
    - easy creation of new identities in the system
    - internet access
    - role based security (different user, different access level, etc)
    - ...

    These are generic requiements that you can do with both the AD and the membership system.
    Question then becomes why you would choose one over the other:

    - AD will give you an enterprise level solution, in that all the users of the system are in a domain..
      this is a big plus if you are considering single sign on scenarios, offering email (exchange ) to every student, sharepoint access for uploading / downloading content, etc
      Membership administration is done using the standard tools available.. 
     
      Student history could be managed based on the login of the user (if that login is guaranteed to be unique in time eg: student number) or the SID of an account
      (a sort of active directory primary key), which is sadly not very humanly readable (it's a guid).  
      Or, you might store the SID in a table which correlates the SID with you student id.

      Internet access is possible, but would require a ISA server...
      This would allow your users to pass in their windows credentials after which the requests are handled as if the user were logged on onto the domain.
     
    - (ASP.net) membership system
       The ASP.net membership system is also a valid possibility, althought there single sign on can be somewhat challenging to implement.
       Here you'll have forms security versus the windows integrated security if your users were in AD.
       Basically here the biggest plus is flexibility it offers, you can for instance create your own database to implement the membership providers and so on...

       History management can be done based on a user id (which correlates nicely to the student id).

       Internet access is possible, and less complicated that it's windows counterpart.

    - Claims based security is federated identity management, which doesn't really apply here I think..
      In claims based security access to a resource is limited to a user which can provide the correct claims.
      The power of federated identity management is that the validation of the claims need not be done by the resource itself,
      but can be provided by a third party.  So unless you have a third party which you trust to identify you users...

    I hope this answers some of your questions..
    In any case, can you shed some more light on what your exact requirements are?
     
    KR

    Frederik
    Please close the thread if your question is answered, and don't forget to rate the best responses!
    • Marked as answer by freddyccix Wednesday, June 17, 2009 5:27 PM
    Monday, June 15, 2009 9:17 PM

  • Basically the roles that are going to interact directly with the system and other services ( sharepoint, Web Page, Exchange) are:
    -Administrator
    -Directors
    -Teachers
    -Parents
    -Students

    This is the complete list of users and roles for the institutes, my main issue is for students basically, 'cause students are interacting with the system both in the institute and on the internet, teahers should have the option to do this as well. Parents are mainly going to use the internet version of the system mainly for fiiling up or update their info and the student's as well. But I'm pretty sure that they ( parents) shouldn't be registered in AD ( correct me if I'm wrong please). On the other hand, we are planning to architect this system for a wide variaty of institutes in the city. so we are implementing SOA principles wich are fairly new to us.

    These institutes might be anything from children education ( no student interaction with the system ), high schools (medium level of interaction with the system, like review of grades are asignments), and Universities (a mayor interaction, like uploading files through the internet, or contact teachers, etc)

    We are developing a main solution for this customers.

    To clarify my question, should WE use only DataBase Level Authentication, this way we have absolute control over the whole users, or should we use AD ALSO, to simplify management. or sholud we implement separate solutions?




    thank you very much

    PS: Excuse me for my english, is not very good.
    VS2005STD
    Tuesday, June 16, 2009 3:28 PM
  • Hi

    To me a hybrid system (supporting both windows and form authentication) will probably be best.
    You'll probably want to have some seperation in the front ends, ie having a site which you can use with AD authentication (for teachers, directors, students) and a form based site (parents).

    One thing to note here is that you'll probably want to create  student records based on student id (some number you have),
    which would allow you to match a windows user name to a record int the database.
    If you have multiple institutes in your solution, it might become difficult to manage that (as logins need to be unique). 
    Perhaps you might be looking at different domains / installations per institute, prefixes for logins,...

    Hope this answers your questions :)

    KR

    Frederik
    Please close the thread if your question is answered, and don't forget to rate the best responses!
    • Marked as answer by freddyccix Wednesday, June 17, 2009 5:27 PM
    Wednesday, June 17, 2009 7:33 AM