SSO, FERPA, and Compliance: What Universities Need from Research SaaS
An IT and procurement checklist for evaluating research SaaS platforms. Covers SSO/SAML, FERPA, SOC 2, data residency, HECVAT, accessibility, and how to run a security review.
University IT teams need research SaaS that meets SSO, FERPA, SOC 2, and accessibility requirements. This guide provides a practical evaluation checklist and explains higher-ed-specific compliance considerations.
If you work in university IT, information security, or procurement, you know that adopting new software is never as simple as finding a tool that researchers like. Every SaaS platform that touches institutional data must pass through a gauntlet of security reviews, compliance checks, and contractual negotiations. For research-focused tools — which may handle student work, unpublished data, and federally funded project outputs — the requirements are particularly stringent.
This guide provides a practical checklist for evaluating research SaaS platforms, with a focus on the requirements that are specific to higher education.
Single sign-on is not optional for institutional software. Universities run centralized identity systems, and any tool that requires a separate username and password creates security risk, help desk burden, and user friction.
What to Require SAML 2.0 support — the standard protocol for enterprise SSO in higher education Shibboleth compatibility — many universities use Shibboleth as their SAML identity provider, particularly those in the InCommon federation Azure AD / Entra ID integration — increasingly common as universities move to Microsoft 365 Okta support — used by a growing number of institutions, especially in the US SCIM provisioning — automated user creation and deactivation based on directory changes (critical for managing accounts when students graduate or employees leave) MFA enforcement — the platform should respect the institution's MFA policies, not bypass them
Read next
- Explore more on sso
- Explore more on ferpa
- Explore more on compliance
- Explore more on university
- Explore more on procurement
- Explore more on security
Related articles
Explore PapersFlow
Frequently Asked Questions
- Does FERPA apply to research tools used only by faculty?
- It depends. FERPA protects student education records, so if the tool is used only by faculty for their own research (no student data), FERPA is typically not triggered. However, if students use the platform as part of a course, or if student names, grades, or identifiers are stored in the system, FERPA applies. Many universities apply FERPA requirements broadly to all SaaS as a risk management strategy, even when strict applicability is uncertain.
- What is HECVAT and why do vendors need to complete it?
- HECVAT (Higher Education Community Vendor Assessment Toolkit) is a standardized security questionnaire developed by EDUCAUSE and Internet2. It replaces the need for each university to create its own questionnaire, saving time for both vendors and institutions. There are two versions: HECVAT Lite (for lower-risk tools) and HECVAT Full (for tools handling sensitive data). Most university procurement offices will not proceed without a completed HECVAT.
- Can a vendor without SOC 2 certification still be approved?
- Technically yes, but it adds significant friction. Without SOC 2, the university's security team will typically require a more extensive review — including detailed architecture documentation, penetration test results, and possibly an on-site audit. Many universities have a policy of requiring SOC 2 Type II for any tool that handles institutional data. Smaller vendors can sometimes use alternative evidence (ISO 27001, a completed CAIQ, or independent security audit reports), but expect the procurement process to take longer.