Single Sign On for Enterprise Apps

Logos of a selection of Enterprise Applications, such as Stream, Reading Coach, UoR Campus Card Portal
A selection of Enterprise Applications

“Single Sign On” (or SSO) allows you to use your University of Reading credentials to sign in Enterprise Applications (so called as they are usually business, or enterprise, related).

Many of “our” Enterprise Apps such as RISIS, Canvas, iTrent, the Campus Card Portal, the IT Self Service Portal (TOPdesk) and UoRLearn (SABA) are legitimate and in everyday use. Others are linked to the University of Reading such as Padlet, Trello and LinkedIn Learning, which also use our Single Sign On credentials but are not UoR branded. Finally, there are random apps which have no obvious UoR business use at all, such as PayPal, Scanner Pro, Cloud VLE etc. 

What is the problem?

Over past few years, more and more apps have been enabled to use SSO without any real governance, as no admin permission was needed. This presents a problem. Some apps have been abandoned or not been updated, which makes them vulnerable to a cyber-attack. Some apps have introduced charging, which isn’t transparent to the end user. Some apps are not appropriate with an Education licence and we shouldn’t be using them.

We are nearing 5000 different apps on our books, and this number is increasing every day, so we need to tackle this now.  

What are we doing?

DTS will be reviewing the permissions for all Enterprise Apps which are using UoR Single Sign On credentials, and we will be removing automatic approval from many applications. For the most part, these will be applications which have no users or aren’t current or valid. We will also be removing approval from applications which are unknown, or do not have any obvious business purpose. If this is an app that you use, you will need to apply for permission to use it.

What do I need to do?

All of us use Enterprise Apps, however you may not be affected by this change.

For Enterprise Apps which are legitimate, permissions will remain. This group includes current UoR apps and most UoR linked apps. No action is required, and you won’t notice any differences when you sign in.

For Enterprise Apps where we can’t see evidence that they are being used, or are not obviously business related, you may be asked to request permission for it to use Single Sign On, even though you may have been using it before this change.

You can check the Enterprise Apps you have on your Microsoft App Dashboard.

How do I request permission to use an Enterprise App?

SSO request permission pop up

If you need to ask permission to use an app, you will be able to do this from the app sign in page without having to raise a ticket. You’ll get a message similar to the one shown here when you try and sign in, and you can provide a short justification and submit direct to us.

What happens next?

We will review the requested app to determine if it is appropriate for use under UoR credentials. In particular, we will be checking the permissions that the app is asking for, and whether they are acceptable from a security perspective.

Once an app has been approved, you won’t need to ask for approval again (and nor will anyone else using that app).

Enterprise App not been approved?

If your app has not been approved for use with Single Sign on, this doesn’t necessarily mean you can’t use, it but it does mean you will not be able to sign in with UoR credentials. Please raise a ticket to discuss.

The future of Enterprise Application Management 

Going forward we have implemented admin controls so that all new attempts to register new applications using university accounts will require admin approval. 

Further information and contact

If you have any questions or need any advice, please contact the IT Service Desk.

print & pdf