CASE 110 · JUNCO · 2023
School logins that just work, on every district’s SSO.
An EdTech company sold to school districts, each with their own identity provider (Google Workspace, Microsoft Entra, ClassLink, a handful of district-specific SAML implementations). Their auth had been a fragile collection of district-specific code paths. We consolidated on Cognito federated identity providers.
EdTech
SECURITY
2023
RESULTS
What changed, by the numbers.
DISTRICT SSO COVERAGE
94%
AUTH BUG INCIDENTS
−86%
NEW-DISTRICT ONBOARDING
< 1d
CUSTOM CODE PATHS
7 → 1
HOW IT WENT
School-year start was the worst week of the year for the support team. Every district had something different — a SAML response that put the email in an unusual attribute, a Google domain restriction that needed manual configuration, a ClassLink integration that broke every time ClassLink updated.
Cognito User Pools with federated identity providers gave us one mental model for every IdP. SAML districts mapped to a SAML federated provider; OIDC districts to OIDC. A Lambda pre-token-generation trigger normalised the attribute differences. New districts onboard themselves through a self-service portal that registers their IdP with Cognito.
District SSO coverage went from 41% to 94% within a year. Auth bug incidents dropped 86% year-over-year. School-year start went from "all hands on support" to "one engineer monitoring quietly." New-district onboarding is now usually finished before the kickoff call ends.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.