Protecting children’s privacy online is a top-of-mind concern for educators. But for the IT administrators tasked with this job, the “hows” of doing so can be complex and multi-faceted.
One good place to start is through managing the online accounts that students create to access their learning tools (such as G Suite for Education, Adobe, FreshGrade, etc). Many of these third-party applications require different personal identification details during the initial sign-up, such as student’s email, location, age, etc. These details are often saved in an unknown environment, and may be shared with an unknown number of other applications. This is not only concerning from a privacy perspective, but it also has legal implications for the school administrators.
To help educators take back control of their students’ online accounts, Cybera launched Pika, an “identity federation” solution, in 2018. Pika is a single-sign-on service that manages students’ logins (across separate platforms) from one, trusted location.
A year into the service, participants are already reporting that Pika has made their lives easier, and has given them greater confidence in the security of their students’ data.
“The connection process was really quick — any time I get to say a setup is easy and fast, as an IT person, that is a big benefit. We like Pika because it works. If there’s a problem we know how to deal with it, and Cybera is flexible when we need to make changes.”
– Darcy Bromling, IT Coordinator, Peace Wapiti School Division No.76
But getting to this level of “ease” was not simple — the Pika Federation was three years in the making. Alberta school authority leaders, and privacy experts from Cybera, worked together to build a “trust framework” of policies for sharing student data with third-party applications. Service providers must agree to this framework — which includes limits on the data they can access and store (such as location, names, and contact information) — before they can offer their services to the federation.
The benefit of Pika is that it allows education authorities to quickly access multiple services and tools that they know meet set privacy policies. Administrators also know exactly what pieces of personal information are being used by each service, and for what purpose.
It has also created a user community of school administrator to share their best practices and troubleshoot problems.
“It’s good to come together to build a group to create these guidelines. This has been a great way to build a shared community.”
– Alex Mottus, Director of Information Technology, Pembina Hills Public Schools and Alberta Distance Learning Centre
What services can be currently accessed through Pika?
- Adobe (including Spark and Creative)
- Google (including Google for Education)
- Microsoft 365
- Cisco Meraki
- Rapid Access Cloud
- See the full list
So, how does Pika work?
Signing in to a Pika-connected service is quick and easy for the student. But behind the scenes, these are the steps taking place:
The student goes to the online service they want to access (such as myBlueprint).
The student selects their school (or institutional) Login.
They are redirected to the Pika selection page:
The user’s home Identity Provider (aka the school) authenticates the student by asking them to enter their credentials (username and password):
After validating, Pika generates a Security Assertion Markup Language (SAML) response, providing the attributes that were specified by the Trust Assertion Document previously signed by the service. (A SAML is the process used by the identity provider and the service provider to exchange authentication and authorization data.)
The SAML response message indicates that the student has been authenticated.
- The service validates the response message and gives the student permission to access the online.
How to join
The service is geared towards K-12 schools in Alberta who are members of Cybera. (Check out our membership page to see if your organization is already a Cybera member).
To find out more, contact firstname.lastname@example.org to get started.