The SSO Shift: Navigating Cloud Choices in Higher Ed IAM

By Jean Chorazyczewski, InCommon Academy Director

Estimated reading time: 7 minutes

IAM Online: March 2025 Speaker Spotlight

Identity and Access Management (IAM) and Single Sign-On (SSO) have been on higher ed’s radar for years. But lately, the landscape has shifted. More and more institutions are finding themselves in the middle of change, facing less-than-straightforward decisions about how to meet current and future SSO needs and how cloud-based solutions are entering the picture.

The choice of SSO solution is an important one as it impacts not just academic collaborations but also the security and accessibility of essential campus services. A well-implemented SSO system streamlines resource access, enhances user experience, and bolsters institutional security.

This shift isn’t a simple choice between on-premises and cloud solutions, but rather a nuanced navigation of hybrid environments, legacy systems, and emerging technologies. Several factors are influencing decisions:

Cloud-based SSO solutions, like EntraID, are gaining popularity, offering benefits such as reduced infrastructure costs and enhanced security features.
On-premises SSO, like Shibboleth open source software, remains relevant and tailored for institutions prioritizing direct control over data and infrastructure.
Many institutions are adopting hybrid approaches, recognizing the need to balance existing systems with cloud platforms to address institution-specific needs.

This complex decision-making process reflects the evolving needs and challenges of higher education IT environments.

To shed light on how institutions are navigating these challenges, our upcoming IAM Online webinar on Wednesday, Mar. 19, at 1 p.m. ET entitled “Change is Afoot: Navigating Cloud Shifts in Higher Ed IAM” will feature IAM practitioners from Southern Methodist University (SMU) and the University of Virginia (UVA). These institutions represent different approaches to IAM SSO shifts:

SMU recently transitioned from Shibboleth to Entra ID while maintaining a hybrid environment, offering insights into cloud migration strategies.
UVA is leveraging Entra ID to unify separate SSO systems, showcasing how cloud solutions can address complex integration challenges.

Both will highlight the importance of stakeholder engagement, strategic planning, and lessons learned during major IAM transitions.

Tommy Doan
Identity Management Lead
Southern Methodist University

Kellen Murphy
Identity Architecture & Solutions Engineer University of Virginia

Q&A

Ahead of the webinar, our speakers offer these valuable insights into the challenges and strategies for navigating cloud shifts in higher education IAM:

Q: What are some of the unique challenges you see higher education institutions facing when transitioning from or integrating on-premises IAM systems with cloud-based IAM systems?

Kellen:
Many challenges stem from the decentralized nature of higher education institutions: departments, schools, and research centers with their own IT systems and identity silos lead to multiple layers of required integrations with the cloud system. Trying to create and maintain these links while preserving autonomy can be difficult. Coupled with the fact that many institutions also have a complex hodge-podge of custom and legacy systems means that there aren’t necessarily clear-cut paths to the cloud.

Tommy:
Our primary challenge is in dealing with products that were not designed with the complex nature of higher education institutions in mind. For example, the concept that an individual can have multiple university relationships is not a native concept for some products. Instead, there is a general assumption that when an individual loses an affiliation with the institution (e.g. they’re fired), their accounts and permissions will be eliminated from the product. In higher education that user could have multiple affiliations, and any one of those could require them to continue to have an account in that product.

As we transition to cloud-based products, our IT teams will be strained to learn and adapt to new products, technologies, and processes while still supporting existing ones. This strain will continue while we’re in a hybrid state, which is likely to be for a prolonged period of time.
Persuading our user community to move away from older familiar technologies, like mapped network shares for storage, to the newer cloud equivalent is challenging. Change is always challenging, especially as the transition can be disruptive to important activities

Q: What were the primary drivers behind your institution’s decision to shift (or explore shifting) towards cloud-based IAM solutions?

Kellen:
One of our primary goals is to provide a better user experience. With our current environment, SSO isn’t so much “single sign-on” as it is “same sign-on”, where the same credential work for either our on-premises Shibboleth Identity Provider (IDP) or our cloud IDP (Microsoft Entra ID), each of which has >500 application integrations. Unifying the experience is not only better from the experience perspective but also from a security and compliance perspective. Scalability of the solution and cost efficiency are further reasons for our examination of how we can better leverage the Microsoft Entra offerings.

Tommy:
One driver is to get well ahead of product deprecations. A specific example is that Microsoft is clearly transitioning away from Active Directory. No significant developments have been made to Active Directory since Windows Server 2016. While our Active Directory domain may be around for the next 20 years or more, we need a transition plan that will allow us to move away from it at our own pace and schedule rather than on Microsoft’s schedule at some unknown point in the future. For our institution we are formulating a plan to transition from Active Directory to Entra ID as our directory service. At the moment we’re in a hybrid state where we use both concurrently. That journey began in 2014 when we created our Microsoft Azure tenant, and began to synchronize most objects from Active Directory to Entra ID. Staying in hybrid mode poses several challenges so we must plan our transition out of it.

Another motivation is the desire to take advantage of new technologies available in the cloud products. Since Microsoft’s focus has moved to its cloud products, the most interesting technology developments are occurring there. We believe that new cloud-based “passwordless” authentication technologies such as Windows Hello for Business will represent a significant improvement in user experience as well as security. This introduces the need for a slew of prerequisite cloud-based products including Entra-join, Autopilot, Intune, and Platform SSO.

Q: Could you share 1-2 lessons learned as you have worked through the transition process and how your team addressed them?

Kellen:
We’re in the early stages of our process and still learning, but one crucial lesson is to prioritize requirements gathering. Your project, or likely a series of projects, must carefully balance security, compliance, and operational needs. Deploying a solution that doesn’t support complex identity lifecycles or integrate seamlessly with legacy systems can lead to frustrated users, security issues, and costly rework in the future.

Tommy:
Transition gradually wherever possible. Start slow, make mistakes early, get early adopters from every IT team and take their feedback very seriously.

Q: What advice would you give to other institutions considering or currently undergoing a similar cloud IAM transition?

Kellen:
Plan carefully, secure buy-in from stakeholders early, and seek advice from peer institutions through forums like Internet2 conferences, working groups, and training.

Tommy:
Always learn from other people’s mistakes first and then go make your own mistakes. Learn, improve, and then share!

Join Us for IAM Online

Interested in learning how institutions are navigating the complex landscape of cloud-based and on-premises IAM SSO solutions? Don’t miss our upcoming webinar, “Change is Afoot: Navigating Cloud Shifts in Higher Ed IAM,” on Wednesday, Mar. 19, at 1 p.m. ET. Hear from IAM practitioners as they share their experiences and insights on transitioning to cloud-based IAM systems, managing hybrid environments, and addressing the unique challenges faced by higher education institutions.

Please Note: We’ve introduced a new, improved registration process for our webinars. You’ll now register individually for each webinar, which allows us to deliver content that’s even more aligned with what you want to see. Get ready for more engaging, community-driven webinars designed with you in mind!

Do you have ideas for IAM Webinars you would like to attend? Fill out this form and let us know what you’d like to see.