Initiative 10: Identity Management and Single Sign-on

Establish an identity management program to improve the efficiency of user account administration, increase information security, improve collaboration and simplify access to resources and data.

Identity management generally refers to the procedures involved in establishing a person’s identity and providing access to information technology assets (e.g., data, network resources, and other restricted hardware and software) on the basis of that identity. All constituents of UNLV have multiple attributes that define the different roles they have with the university. For example, a single individual has a name, a campus address, employment dates and degrees; the individual may also be a faculty member, a tenured faculty member, a member of the School of Architecture, a member of the College of Fine Arts, an academic advisor, a primary investigator on a federal grant, a supervisor of other employees, etc. These roles are used to determine which resources a person can access, to target information to members of specific groups, and to facilitate complex automated services.

The current environment

The university currently uses several different approaches to manage identities and provide access to campus resources, thereby creating an IT environment where:

  • Multiple systems independently manage identities
  • Identity information is stored in multiple places
  • Individuals have multiple identities, sometimes even within the same system

This fragmented approach to identity management poses several challenges:

  • Separate identities create a variety of security risks
  • Accessing necessary IT services is more difficult
  • Significant time and effort is required to connect information in different systems

The current systems also lack the automation necessary to keep identity information consistent across campus systems. For more information about the identity management environment at UNLV, including examples involving university applications, see Appendix 10A.

Establishing an identity management program

To manage identities and access, UNLV must establish an identity management program. The program requires the development of new processes and the implementation of several new technologies to create and sustain identity and access privileges until they are no longer needed.

UNLV has recently procured an enterprise-level identity management suite and is in the process of initial deployment. The implementation will occur in phases. Phase 1, to be completed by June 2016, includes the following features:

  • A single ID and password for multiple campus systems
  • Establishment of general user groups (e.g., academic staff, faculty, administrative staff, students)
  • Federated identity functionality to provide access to national research and library resources

Subsequent phases of the identity management program include further development of user groups to support a more granular level of role-based identity management. See Appendix 10B for a three-year identity management implementation roadmap.

Identity management and iNtegrate 2

NSHE’s iNtegrate 2 initiative will have significant impact on UNLV’s identity management program (see Initiative 9). The human resources module of the new iNtegrate 2 system (i.e., human capital management in Workday) will be the authoritative source of data for many of the attributes that identify university employees. The identity management roadmap reflects these dependencies by deploying features dependent on robust employee data to later phases in the implementation. These interdependencies will need to be managed as the iNtegrate 2 initiative develops.

>Supporting Top Tier research and academic initiatives

Establishing an identity management system at UNLV will make it possible to provide resources to academics, researchers, and other university personnel that will enhance their productivity and ability to collaborate with others from around the globe. The new system will also provide direct support for ongoing academic and research goals established to achieve Top Tier status. For example, to increase collaborative research with other U.S. higher education institutions, UNLV has joined the InCommon Federation, an organization providing services that allow its members to share a common framework for trusted access to online resources in support of research and education. Not having to populate users and passwords for every system saves considerable expense and time in inter-institutional collaborations. Through InCommon, users are provided single sign-on convenience and privacy protection. One hundred and five of the 108 Carnegie Research Very High institutions, as well as many non-profit grant funding agencies, are members of the InCommon Federation.

UNLV’s membership in the InCommon Federation made it possible for the university to join the HathiTrust, a partnership between academic and research institutions offering a collection of millions of titles digitized from libraries around the world. Since July 2015, students and faculty can now access the collective using InCommon identity management services. The National Science Foundation (NSF) also permits researchers to log in to the NSF research.gov database using InCommon identities. Additional information about the resources available to the UNLV community through the InCommon Federation can be found at: https://it.unlv.edu/incommon/information.

Single sign-on

Single sign-on is the most commonly cited new service requested by students, faculty, and staff. The comprehensive identity management system being implemented will facilitate a single sign-on environment where each user’s unique ID and password will provide access to multiple applications based on the user’s profile. Reducing the number of logins and passwords will:

  • Increase student and employee satisfaction with technology services
  • Strengthen the university’s security posture
  • Ease the introduction of new applications (e.g., iNtegrate 2, document management)
  • Better support the increasing presence of mobile devices on campus

Single sign-on will also ease the administrative burden for technology staff tasked with managing user access on an application-by-application basis throughout the user’s association with the university. From a security perspective, managing identities centrally strengthens the ability to provide access to multiple applications simultaneously (e.g., enforce strong password requirements) and reduces the risk of unauthorized access (e.g., failing to remove an employee from every campus application upon separation from the university).

Account policies

The establishment of a successful identity management program requires the development of policies that define how user accounts are created, maintained, modified, and terminated. Additionally, the university will need to create a group identity for individuals with similar functions (e.g., administrative assistants, data analysts, faculty) and assign access privileges to enterprise systems (e.g., WebCampus, MyUNLV) based on group membership. Defining these groups and privileges requires collaboration among multiple departments/units as well as distributed and centralized technical units.

In addition to these groups and privileges, the university will need to establish policies and procedures for requesting, approving, modifying, and terminating user access, as well as for regularly auditing group membership for the appropriateness of access privileges. Throughout the implementation of this initiative, the Technology Advisory Committee (TAC) will be responsible for ensuring that any barriers to progress are identified and resolved in a timely manner (see Initiative 1).

Relationship to data management

Determinations about what access is appropriate and what attributes constitute a defined role on campus are required to implement components of the identity management system. Decisions about who has access to UNLV data and the extent of that access is the purview of campus data stewards. Consequently, progress on the provisions of role-based access to campus systems will require the assistance of those involved in the campus data governance effort (see Initiative 13).

Initiative Owner

  • President

Consultative Role

  • Technology Advisory Committee
  • Office of Information Technology (OIT)
  • Data Governance Groups

Budget Estimate

Existing UNLV resources have been identified for the first phase of the initiative. An additional $200,000 will be required to complete the implementation. After the implementation is completed, one new position (approximately $85,000 plus benefits) will be required to maintain and expand the system.

Action Items to Implement Initiative

  1. Complete the initial Identity Management implementation.
  2. Implement Identity Management Phase 2 - See Appendix 10B for details.
  3. Implement Identity Management Phase 3 - See Appendix 10B for details.
  4. Provide single sign-on to UNLV applications where appropriate.
  5. Develop a process for determining the authoritative source for data used to populate the identity management system.
  6. Annually assess procedures that define how users within the identity management system are managed (e.g., added, maintained, modified, terminated).
  7. Establish procedures to add groups to the identity management system and define access privileges.
  8. Annually audit group membership for accuracy and appropriateness of access privileges.

Anticipated Benefits

  • Fewer logins needed to access university resources.
  • Data security and appropriate access to university systems and resources are easier to manage.
  • Simplifies access to research resources and library collections at other higher education institutions.
  • Facilitates collaboration with research colleagues at other institutions.
  • Improved security and privacy for the UNLV community.
  • Expedited implementation of new systems.
  • Easier implementation of some cloud-based and external services.

Measures of Success

  • Number of UNLV systems utilizing identity management.
  • Additional services available through InCommon credentials.
  • Number of UNLV systems available through single-sign on.
  • Satisfaction with account management services.
  • Decrease in number and criticality of audit findings regarding access privileges.

Contextual Information

Other relevant research

Figure 10-1 on the next page provides a summary of the relationship between the identity management capabilities of several higher education institutions and the importance of the benefits realized through identity management programs. The upper-right quadrant includes benefits that are most important for those institutions that had the highest capability ratings. To provide more support for the academic and research needs of a high research activity institution, UNLV needs to strive to provide identity management services found in the upper-right quadrant such as ID proofing confidence (trust factors to become part of research collaboratives, etc.). To better serve users, improve security, and address audit findings, UNLV needs to provide services such as reduced or single sign-on, immediate new-user enablement, and immediate deprovisioning on user departure.

Figure 10-1 Identity Management Benefits
Figure #3 Identity Management Benefits

The data is based on research released in 2011. Source: https://library.educause.edu/~/media/files/library/2011/6/ecs1102-pdf.pdf (p. 12)