How DI4OL works

• Authenticate digital identity
• What schools need to do
• What learners need to do

Authenticate digital identity

Most learners have a personal account with organisations such as Google (Gmail), Apple (iCloud), Microsoft Office 365, or the Department of Internal Affair’s RealMe. These accounts are identity providers.

Learners also have a school account (Google Workspace for Education, Microsoft Office 365 for Education) and access it using their school user ID and password.

When learners add their personal account via DI4OL, they will gain access to digital applications that were established with their school account.

Learners will authenticate their digital identity using their school account while still enrolled at school.

About the Education Sector Login (ESL) Service

The Ministry of Education, Te Tāhuhu o te Mātauranga has been running the ESL service for about 10 years.

ESL currently uses the ‘Microsoft Azure B2C’ federated identity broker but also requires additional components to handle a number of legacy applications and protocols. In the future, we aim to migrate these legacy applications and merge with the new DI4OL federated identity broker.

For more information, see Education Sector Logon (ESL) | Applications and Online Systems(external link).

About the National Student Number (NSN)

The Education and Training Act (2020) authorises the use of the National Student Number (NSN) by specified users for specified purposes. The existing NSN will be used as the unique identifier across education systems where there is a clear and approved business justification for this.

For more information, see National Student Numbers - Education in New Zealand(external link).

What schools need to do

To use the DI4OL service, there are a few things schools need to do. 

• Schools must opt in.
• Schools must be able to connect to the DI4OL identity broker. To do this schools must have a cloud identity provider (either Google Workspace for Education or Microsoft O365 for Education). This can be in addition to their on-premise IT environment. 
• If they have an on-premise Active Directory, they must be synchronising this to their cloud identity provider. The synchronisation parameters must include the NSN, date of birth, and other standard attributes such as name and email address. Technical staff at The Ministry of Education, Te Tāhuhu o te Mātauranga can assist with this if required.

What learners need to do

It is a good idea for learners to link one or more of their personal accounts (Google Gmail, Apple iCloud, Microsoft Office 365 or RealMe) to their school account (Google Workspace for Education, Microsoft O365 for Education) before they leave school. Doing this allows the verified status of their school account to be passed on to their personal identity accounts.

This enables learners to use their personal identity account to access their Record of Achievement and other NZQA applications after they leave school, and after their school account is deleted. 

If a learner does not link their personal identity account before their school account is disabled, The Ministry of Education, Te Tāhuhu o te Mātauranga will set up a verification service to permit someone to register a personal account and “claim” back their NSN. Our intention is to enable a learner to re-register using the RealMe verified service and claim back their NSN. Access to their Record of Achievement could then be established.

Last reviewed: 04 May 2023 Has this been useful? Give us your feedback