About GDHacker IDS
The district's authoritative single sign‑on and identity management service — centralizing authentication for approved applications to strengthen security, simplify access, and provide consistent audit trails.
Executive Summary
This service provides a standards‑based, secure authentication platform for internal and approved third‑party applications. It implements modern best practices including OAuth 2.0 / OpenID Connect authorization code flow with PKCE, rotating refresh tokens, FIDO2 passwordless authentication (passkeys), SAML 2.0 for federated SSO with legacy and external systems, student badge sign‑in via QR code for young learners, and WiFi Captive Portal for secure network access. The platform is designed with defense‑in‑depth principles and follows industry security guidelines. Recent improvements also add centrally managed login access rules so administrators can control which authentication methods are available based on Active Directory group membership and geolocation.
Adaptive Login Access Policies
Super administrators can now define login access rules that apply to password, passkey, badge, and Windows sign‑in methods. Rules can match Active Directory groups, country code, and geo location text such as city or region.
This enables scenarios such as allowing passkeys only for selected student groups, restricting certain sign‑in methods outside the United States, and applying location-aware controls while keeping district internal network traffic trusted.
Passwordless Sign-In with Passkeys
The platform also supports passkey-based sign‑in for a faster and more secure passwordless experience. Users can sign in with biometrics, a device PIN, or a supported security key instead of typing a password.
Passkeys improve usability for staff and older students while helping protect against phishing, password reuse, and brute-force attacks across supported devices and browsers.
Student-Friendly Sign-In
The platform now supports badge login using QR codes, making sign‑in faster and easier for young students who may not yet be comfortable typing usernames and passwords.
Students can present their school badge to a device camera for a simplified login experience while the system continues to enforce district security, auditing, and access controls behind the scenes.
Service Details
| Service | Central SSO / Identity Provider (GDHacker IDS) |
| Environment | Production — district internal use |
| Platform | ASP.NET Core (.NET 10), Dapper, Microsoft SQL Server |
| Protocols | OAuth 2.0, OpenID Connect, SAML 2.0, FIDO2 / WebAuthn, QR Badge Login |
| Adaptive Access | Supports policy-based login rules by AD group, authentication method, country, and geo location |
| Passwordless Access | Supports modern passkey authentication using biometrics, PIN, or hardware security keys |
| Student Access | Supports badge-based QR sign‑in for simplified elementary and primary student authentication |
| Owner / Maintainer | YYDS — Information Security Specialist |
| Version | 1.0.0.0 updated 2026-04-01 21:38 |
| Support |
End‑user support via Help Desk
Technical integration: webmaster@gdhacker.com |
Security & Audit
- TLS enforced on all endpoints
- Short‑lived access tokens with automatic refresh token rotation
- PKCE required for public clients
- Comprehensive authentication event logging
- Geolocation‑aware login auditing
- Proxy / VPN / anonymous IP detection
- Policy-based login controls for password, badge, passkey, and Windows sign-in
- Authentication method restrictions based on AD groups and geographic location
- Passkey authentication supports phishing-resistant passwordless sign-in
- Badge login events recorded for traceability and incident review
- Group‑based access control per client (AllowedGroups / BlockedGroups)
- District internal network requests remain trusted while external access can be restricted
Integration Guidance
- Register as an OAuth/OIDC client or SAML 2.0 Service Provider
- Student-facing workflows can use badge QR sign‑in to reduce typing friction
- Compatible users and devices can adopt passkeys for a simpler passwordless sign-in experience
- Coordinate login policy requirements early if your application depends on specific sign-in methods
- For SAML2, use the published IdP metadata and configure ACS/Logout endpoints
- Use PKCE for public clients; confidential credentials for server‑side apps
- Implement token / assertion validation and handle refresh token rotation
- Contact YYDS for onboarding and configuration assistance
Scope & Change Management
This identity service is the district‑authorized authentication gateway for integrated applications. Only applications approved by the district may delegate authentication to this service. Client registration and integration are managed following district policies.
Planned maintenance and configuration changes follow district change control procedures. Emergency fixes and security patches are applied as required to maintain service security and availability.
History & Credits
Originally developed by Leon Shao (webmaster@gdhacker.com) as a personal project, later forked and adapted for Great Falls Public Schools.
Developed and maintained by YYDS — Information Security Specialist. For deployment, integration, or security questions, contact webmaster@gdhacker.com.