Why We Need to Integrate UMW Blogs with Active Directory

For years now we’ve prided ourselves on keeping UMW Blogs outside of the single-sign-on environment using the rationale that it provides just one more layer of separation from the fears surrounding  privacy, FERPA, and security. Admittedly part of this stance was born out of the technical challenge of integration, an issue that since then has been figured out pretty effectively for a variety of authentication systems. And given UMW has had Active Directory for the past three years, we could (and most likely will) take Luke Waltzer’s brilliant lead and integrate our UMW Blogs instance seamlessly thanks to Boone Gorgesplugin (how much do you love CUNY?).

Integrating with the UMW’s Active Directory is something I’ve been thinking more about recently given it would make certain things a hell of a lot easier. What’s more, we’re already doing this on the umw.edu installation of WordPress, and that works quite well thanks to Curtiss Grymala. So we even have the in-house expertise now, I guess I’ve just  been stuck on the idea of creating a bit of a firewall between UMW Blogs and the other enterprise systems around campus, even though UMW Blogs has been an enterprise system for a couple of years now, whether or not I want to admit it. I probably would have dragged this out a bit longer, but a recent meeting I was in about the future of online learning at UMW has been helping to make the decision easy.

We have a new set of forms and policies regarding online classes that were inspired by our preparation for our current SACS review. More specifically, we have an “Online Course Authorization” form (doesn’t it sound so Brazil-like) that caught my attention because according to this form, in order for UMW to remain in “compliance with federal distance education regulations” you have to login through a centralized, campus-wide authentication system. Here is the exact verbiage from the form:

The default expectation is that online UMW courses will be offered through Canvas, the University’s enterprise learning management system. Because Canvas requires a secure UMW login and password authenticated against the University’s active directory, it fulfills the federal requirements for verification and privacy and does so at no additional costs to students.

If this course will be managed through Canvas, check this box, provide the two signatures (below), and submit the form to the Office of the Registrar. Ignore page two of this form.


What else can I say? This pretty much says it all. As of right now UMW Blogs is not authenticating against our university’s active directory and hence cannot be considered one of the default spaces where online learning can happen at UMW without a litany of five or six signatures all the way up to the Chief Information Officer. I don’t know the specific federal regulations this form is referring to and I’ll have to do more research there (anyone know anything about this?), but at the same time I’m not necessarily doubting it. Given how meticulously we’ve been going about our SACS re-accreditation review I’m sure the regulations are quite plain. What gets me in all this is the idea that as a result of these regulations our LMS has become the default mechanism for designing an online course experience at UMW. This seems problematic to me given all the work we’ve done over the last seven years, and one of the reasons I am kicking myself a bit for dragging my feet on active directory authentication.

At the same time we’re lucky we don’t do too many online courses at UMW just yet, and those we are doing are being shaped and developed through a robust community of faculty in the Online Learning Initiative that are interrogating the ideas behind online learning for a liberal arts campus. Nonetheless, the idea that there is a form somewhere that says “the default expectation is that online UMW courses will be offered through Canvas” kills me. The impulse amongst universities to dictate the virtual environment in which online classes can happen will increasingly become a contested and murky reality—folks will “authenticate” through the LMS but that’s not where they’ll teach and learn.

This form is very much a hoop we are having faculty jump though as a way to square ourselves with the SACS review, which I understand but at the same time it does little or nothing to push the vision and possibilities of online learning forward institutionally. On the contrary,  it makes it much more difficult for a faculty member to choose an alternative framework, a fact that could be potentially devastating to the culture of innovation in this area cultivated at UMW up and until now. For that reason alone I think it is crucial that we start seriously considering getting UMW Blogs to authenticate against active directory so that it can be yet another default option for online learning that we can offer UMW faculty with little or no hassle.


This entry was posted in UMW Blogs and tagged , , , , , , . Bookmark the permalink.

14 Responses to Why We Need to Integrate UMW Blogs with Active Directory

  1. Tony Hursh says:

    Wow. My response would be “go f*** yourselves”. I guess that’s why I’m no longer in academia. 🙂

    I’ve never heard of any such regulation, though that doesn’t mean that it doesn’t exist.

    Also: Canvas sucks.

  2. Pingback: Why We Need to Integrate UMW Blogs with Active Directory | bavatuesdays | eLearning

  3. And so it begins, the beginning of the end…

  4. Luke says:

    And so it begins, the beginning of the end…

    Bullshit. Or, I hope this was a joke. After all that Jim and UMW has done to push forward in the right ways, I wouldn’t doubt their ability to find their way through this and kick more ass on the other side. Their value has not merely been opposition to the institution, but to critical dialogue with the institution. Nothing Jim wrote here changes that.

  5. We have had similar conversations, but do far as I know, we don’t yet have to seek approval for “alternative” platforms to our LMS. It’s a sad reality how much university attorneys hinder innovation.

    Privacy and security are at the center of this discussion. You can’t keep student information, including grades, on systems that could be viewed as insecure. That’s what is behind the cumbersome approval process.

    You have to ask what are the privacy implications for students if your external system is compromised? The big one you have is a list of student names and email addresses. But you likely don’t keep grades, permanent addresses, SSN’s etc.

    If you can satisfy the CIO or whomever would be held accountable at the university if a data breach happened that the data you keep isn’t a risk, it shouldn’t matter how you authenticate.

  6. Lanny Arvan says:

    I’ve lived on both sides of this issue for many years. My current view is that the institution has to do what it has to do. It may not be generally understood, but when there are breaches in FERPA that are detected and punished, it is the institution that is punished by having Federal funding withheld, not the individuals who created the breach.

    But instructors primary fidelity should be to student learning and that may very well require going outside of the institution for the online environment. The instructor still needs to be sensitive to student privacy. The way to do that is to assign aliases to students and require that they use the alias as the screen name. Then use tools that are freely available, but not supported by the institution. And do so without seeking permission.

    This is not a long run stable solution. There seems to be two possible solutions that might be stable. One is that the rebels are quelled and revert back to using campus-supported tools. The other is that campus policy changes as the campus recognizes the learning benefits from the rebels’ approach. Either way, however, the rebels are not folks who work for campus IT. The rebels are individual instructors.

    I also think a different interpretation of what FERPA requires is needed. Records of student achievement (course grades) should definitely be protected. Transactions that facilitate learning should not be. At least at Illinois, the interpretation is that enrollment in a particular class is protected information. The approach with aliases protects that information, but it is a kludge as solution. I believe that interpretation itself should change.

    There are something on the order of 100 students out of 30,000 total who FERPA suppress their identity information in the directory. Something more must be done to respect the privacy of those 100 students in class transactions, but the learning of the 30,000 shouldn’t be reduced as a consequence.

  7. Tim Owens says:

    Call me crazy but I don’t see the evil of allowing students, faculty, and staff to use the same login they use on the rest of campus. If we were talking about having to sign off on a new terms of service and regulations for users of UMW Blogs that would be different, but this change actually makes things a lot easier, especially for new students. This makes access to the publishing platform that much more accessible to the UMW community.

    I still have questions for how much hyperbole and “interpretation” is being put into that form as a result of SACS conversations, but regardless I think this is a good move that makes it easier for everyone on campus to use the system. The perceived notion that we have to follow a new set of rules just because we use the single sign on system of the university is just that, a perception. If the CIO came tomorrow and said “If you want to be on AD here’s the new things you have to agree to” I’d certainly change my tune but as of yet that has not happened.

  8. K Jones says:


    The way this reads to me, the only time you need prior approval is if you are going to be using a different resource to MANAGE your online course. Yet, managing an online course has nothing to do with using other online resources like blogs, wiki’s, google doc’s, etc… in your course. It seems like instructors teaching online courses would be free to use pretty much anything they wanted as long as they housed the actual course in Canvas – grading, email, links to outside resources, other course content, etc…

    Am I missing something? Am I being naive?

  9. Reverend says:

    Wow, I was really not expecting such a reaction to this post. Going to active directory was never so exciting 🙂 I’ll try and take these one at a time to deal with a few issues, and then end with a summary of what might have been misinterpreted in the original post.

    @Tony Hursch,
    Not sure moving to active directory authentication is the end of the line for innovation, especially for a system that has systematically become enterprise level. What I am most concerned about here is actually making sure the work we’ve done with UWM Blogs is seen as more than a fringe alternative. I still need to follow-up on the federal regulations details, but not so sure this is all or nothing as you seem to suggest.

    Are you drive-by commenting again? That is so LA gangster circa 1990 😉

    Special thanks to you for laying the balanced and pitch-perfect tone for this post. Your work with Blogs@Baruch is out model currently, and we will be trying to sit down with you soon to hash it out. It is exactly the discourse around this topic we want to engage because it is important for a lot of other schools, and it is a conversation we need to be part of. I am all for protecting students data and preventing a breach of info, I just don’t think this issue is being approached in all of its complexity and just how much these federal regulations seem to ignore or fail to acknowledge. We need to make this a relevant discussion for the work happening at UMW, because like you I think the work we are doing has very much happened within institutions and I am not about throw the baby out with the bathwater. Watching UMW Blogs mature alongside the enterprise has been both an interesting and rewarding reality, I don’t think that would die all so easily, we have a lot of smart people invested in this space. And luckily the CIO is one of them 😉

    To reiterate my comment to Luke, I think we have a community to deal with this intelligently. That said, the impulse to let abstracted federal regulations dictate how and where faculty teach online is distressing. That said, and this gets to @K Jones and @Lanny Arvan’s comment as well, we don’t have an administration here that is trying to crack down on what faculty do. Rather, it is an attempt to address these regulations, and what we need to do is have a conversation about what this means on campus. I’m definitely not gloom and doom about this, but I don’t want it to turn into a railroading of options either.

    As I noted to Bill, don;t think this will kill us. At Mary Washington there are enough faculty who are “rebels” that this might be considered enterprise 🙂

    I agree with you entirely, and I am all for active directory if it makes things easier and allows UMW Blogs to be an option on equal footing with the LMS.

    @K Jones,
    I think you nail it, the administration is not necessarily locking down all other options, they are saying you need to authenticate through Canvas at some point to prove who you are. But that begs the question of how ludicrous a requirement this is if it all comes down to a formality, and all the other teaching and learning can happen anywhere. And I think your reading is right. No one is saying don;t use twitter, blogs, etc., they are just saying you need to use the LMS as your starting point.

  10. Mikhail says:

    If it’s the beginning of the end of anything, it’s the institutional marginalization of systems like ours. This is an important and validating step.

  11. Brad Kozlek says:

    Integrating umwblogs with your authentication system is good for users, and IMHO, a neccesary step as the platform continues to grow. However, as you start down the path of trying to figure out security and compliance for open web tools it is very easy to find yourself in a hellerian reality. It sounds like you, the administration and the faculty are willing to grapple with that, though, which is fantastic. Excelsior!

  12. Jared Stein says:

    I don’t deny that this feels kind of wrong, but ultimately I’m agreeing with Tim here. Let’s not forget it is an institutional system, even you’d prefer it not be.

    I used LDAP authentication on theWordPress and MediaWiki instances I’d set up at UVU, and it enabled /more/ use of the system. It made it entirely, unquestionably feasible for a teacher to stand up the first day of class and say, start your blog. You don’t need a new user account, you don’t need to remember another password. Just get started.

    And unlike other, true single sign-on idPs, LDAP-based systems don’t have to be the sole source of user account data, so it’s not like it’d necessarily lock down the system in ways that would be detrimental to more open, unbound communities of learning,

    (You probably know it, but Aaron Axelson just released a new ver. of his WPMU LDAP plug-in.)

  13. Pingback: Blogs@Baruch Milestones: Part 1, Active Directory Integration

  14. Pingback: EduGeek Journal » Open Learning Structure Part 2

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.