Skip to main content

IT Strategic Initiative: Identity and Access Management

Overview

Visual Overview of the IAM policy and governance

Identity and Access Management (IAM) is a framework that facilitates the management of electronic identities. This framework distinguishes access for faculty, staff, students, affiliates, and guests to University systems and services. Northwestern IT is investing substantially in IAM to better support our ever-increasing dependence on online services, used in daily work at Northwestern University. To learn more about IAM, read “What is Identity and Access Management”.

This initiative is a result of significant interest and input gathering from the community for a fundamental core administrative service for managing identities as reported in “Identity and Access Management” (full and abridged versions). This report outlines many of the drivers in this area, the history that has led us to our current state, and recommendations for how best to move forward with these important information services.

Background

The IAM “system” at Northwestern today is not a single system, but a collection of applications: 


  1. Core Identity Management (IdM) system (NUValidate) – stores and manages identities based on NetIDs and personal data from authoritative identity sources such as the Faculty and Staff Information System (myHR) and the Student Enterprise System (SES); 

  2. Identity directories (e.g., LDAP, Microsoft Active Directory, and Kerberos) – authenticates users requesting system access to business applications; 

  3. Physical identity system (the WildCARD system) - provides proof of identity for access to buildings, events, etc.; 

  4. Directory synchronization utility (Radiant Logic) – keeps data in multiple active directory domains synchronized; 

  5. Web Single Sign-on system (SSO) – reduces the need for multiple log in activities using the same credentials for each Northwestern University application; 

  6. Federation services (e.g., Shibboleth) – allows people at trusted affiliate, partner, or peer institutions to use their home institution’s credentials to gain access to Northwestern systems and services; 

  7. Multi-factor Authentication Service, - provides an extra layer of password protection using an application on a registered smart phone or answering a phone call to reduce the risk that personal information can be easily compromised should someone learn a NetID password;Identity provider bridge service
  8. “Identity Provider” bridge service – enables log in with an active Northwestern identity or with one of their own external social accounts (Gmail, Yahoo, Microsoft). This is currently being utilized by alumni for access to the Our Northwestern system and the Northwestern Library for guest patron access.

Goals

To start, high-level goals for this initiative include:

  1. Restructuring Identity Management – replacing systems (such as NUValidate), implementing new services, and revising the processes and integration between our systems.
  2. Integrating Access Management with Identity Management – connecting identity (who you are) with access (what you can do) for more seamless access across University systems and reducing the overhead associated with access management.
  3. Optimizing Levels of Assurance and Trust – better defining and ensuring trust in the University’s electronic credentials through the addition of multi-factor authentication, associating electronic identities to actual persons through onboarding process verification, and by extending our web of trust to include others through federations, such as the InCommon Federation service.

Projects

Current projects connected to this initiative include:

  1. The selection and replacement of the NUValidate Identity Management System
  2. SSO Projects
    1. The upgrade of our SSO solution from OpenAM v11 to v13
    2. The expansion of SSO implementation to include more systems
  3. The rollout of Multi-factor Authentication (MFA) to multiple systems, to protect and ensure high-risk transactions.  This also includes the integration of SSO with MFA to improve the user access experience.
  4. The expansion of the Identity Bridge Provider for continued use by Our.northwestern.edu, the NU Library’s Ex Lbris Alma launch, and then extending to other Northwestern service providers.

IAM Initiative Contacts

Phil Tracy, Manager, Identity Services, Northwestern Information Technology

Last Updated: 31 October 2017

Get Help Back to top