Home » Blogs » borwicjh's blog

Summary: Identity Management Is Coming to Your Campus: Lead, Follow, or Get Out of the Way

Submitted by borwicjh on Mon, 06/01/2009 - 21:06

Cross-posted to http://www.educause.edu/blog/borwick/SummaryIdentityManagementIsCom/173004.

John Ellis, Heather Mugg, and Jesse Foley from Emory led this pre-conference workshop. Around 8-12 people attended.

Higher education has particular issues with identity management, because one person can play so many roles, e.g. an undergraduate student who then goes to med school, becomes a resident.

Emory received support for their identity management system partly due to a new CIO role who oversees their academic colleges as well as the medical school's IT. Emory has an "Enrollment Services" group that combines admissions, the registrar, and others.

Key takeaways for me included:

  • The account life cycle extending to becoming "cradle to grave"--institutions of higher education want to know about potential applicants as early as possible, and don't want to "forget" about people once they've left the school.
  • Authorization (that is, whether an authenticated user has access to a particular resource) should be done by business units not IT.
  • It is important to have a "person registry" that has accurate information about everyone possibly affiliated with the school. This should probably use a different ID number from any other system.
  • Duplicate records.
  • Identity management is a business issue, and less of a technology issue.
  • Alumni want access to University resources e.g. requests for on-line transcripts after they have left. Should they still have a username and password? What access should be granted?
  • Policy is important. Someone needs to agree to a campus-wide identity management policy explaining who can do what, when.
  • Create a long-term identity management roadmap.
  • Campus libraries can be a strong ally in rolling out identity management, e.g. for inter-library loan.
  • Consider having a mechanism for tracking "persons of interest" who have not yet been hired, especially when they are faculty going to teach on-line courses in the fall and need to set up their course before their official start date.

Other interesting notes:

  • AAI stands for "authentication and authorization infrastructure"
  • How do you know how much access to give a high school student who needs access to Blackboard but not access to fraternity party notices?
  • auditing/compliance could one day make things difficult--for Emory, 1 year's worth of logs would consume 9 terabytes
  • Emory never deletes person IDs. If you have ever been issued an ID then it still exists.
  • the University of Georgia in Athens went from having 0 credits earned on-line five years ago to having 80% of their credits earned on-line today.
  • Emory is moving towards an Enterprise Service Bus approach for identity management requests, so systems no longer need views into the person registry database.

See also:

  • The Burton Group for identity management research.
  • CIO.gov for information about levels of authentication (e.g. authentication requiring username/password vs. key fob or retinal scan)
  • InCommon for a federated identity management group
  • Signet and Grouper are still good solutions, as is Shibboleth.
  • NMI-EDIT
  • OpenEAI
Individual site contributors are solely responsible for the content of this web site.