Windows Identity Foundation Single Sign-On Solution for HealthStream
HealthStream, Inc. provides innovative learning solutions that support the mission-critical training and business objectives of healthcare organizations. The company’s Information Technology team is charged with managing the firm’s flagship product, HealthStream Learning Center, a multi-tenant, Internet-based application having 2,000,000 healthcare professionals currently contracted.
HealthStream’s application suite has evolved over time based on responses to customer requests, the evolving Health Care education marketplace, and the company’s strategic vision. That evolution resulted in a set of products and services that addressed the needs of the marketplace, but that have not necessarily been developed in an integrated fashion. One consequence of this is that each application has its own user credential data, authentication mechanism, and means of providing user session security. While some technology commonalities among the applications do exist, users are required to authenticate when moving across applications, and credentials are not shared or standardized. To ease this user burden, HealthStream committed to the strategic business goal of providing a Single Sign-On (SSO) experience to their users across their entire application suite.
HealthStream, already familiar with the Wintellect brand, decided to outsource the development of the SSO Prototype. Wintellect, a Microsoft Gold Certified Partner, had deep experience with web-based architectures, Single Sign-On, and claims-based security technology in general, and the current Microsoft technologies previously code named “Geneva” specifically.
While this effort was identified and scoped as a prototype, it became clear in early discussions that HealthStream expected the project to provide significant direct benefit to an eventual production solution. The mind-set and direction of the team quickly moved from executing a proof-of-concept (“can this technology be used to meet our needs?”), to more of a test drive approach. The strategy became to operate as if this project were the initial stages of a production effort, and not a throw-away learning exercise. These expectations drove two key project guidelines: scope the project broadly enough to include all key components, and identify specific areas of effort likely to produce re-useable assets.
Wintellect produced a Single Sign-On solution based on Active Directory Federation Services (ADFS) and Windows Identity Foundation (WIF), integrated with the existing applications and user data. Three applications were integrated into the SSO solution for the prototype: HealthStream Learning Center, Insight into Action Community, and Insights On-line Research. Current user accounts were successfully migrated for use by the SSO system, and users were not forced to change or update their accounts after the migration to SSO. Minimal updates or additions to the existing applications were required; in two of the three cases, the bulk of the integration was accomplished via configuration. In the third case, the HealthStream Learning Center application, code updates were isolated to five classes involved with user authentication. Code additions were used across the prototype, and consolidated into a set of Claims Utilities.
The prototype was developed and delivered using virtualization technology hosted on the Microsoft Hyper-V platform. One virtual machine included a fully configured development environment to be used for training and knowledge transfer; it also served as an application server for the run-time demo. Two additional virtual machines served as a domain controller / certificate server, and SharePoint application server, respectively. The delivery package also included extensive documentation detailing the configuration, development, and deployment steps undertaken, and suggestions for subsequent efforts.