Program • On Schedule

Identity and Access Management (IAM)

The Identity and Access Management (IAM) Program is one essential part of the larger Zero Trust Architecture (ZTA) initiative currently underway to strengthen SLAC’s cyber posture. It is changing the way we do business at SLAC. 

Zero Trust is a security framework built on the principles of explicit verification, least privileged access, and breach assumption. IAM processes grant targeted access control and visibility for centrally managing resources. SLAC IT’s IAM Program includes multiple technologies and business processes, focusing on three critical areas:

  • One Identity Management System for SLAC: Uses multi factor authentication, providing users with a streamlined and easier login process.

  • Universal Registration Process via the New Identity Portal: Allows strongly affiliated personnel to use their home credentials for accessing necessary information.

  • Modernized Approach to Application Access/Entitlements: Grants access based on role and need, enhancing how IAM benefits the Lab.

Program
Program

How IAM Benefits the Lab

IAM benefits to SLAC

SLAC IAM Program Components

There are several related projects that will implement a single sign-on experience and a modern, adaptable, and scalable user access infrastructure. The graphic below illustrates the interrelated nature of these projects and specifies individual responsibilities. 

IAM consists of many related projects

Single sign-on (SSO) enables users to securely authenticate with multiple applications using one set of credentials. SLAC-owned applications with web-enabled SSO allow central provisioning for admins and secure, easy access to applications for users. 

Expect a new login experience for the applications that are web-SSO enabled. 

When SLAC Cardinal Key is installed on your device, select Stanford Login from the options provided.

 

New login experience for web-SSO enabled applications

 

Application administrators: Enroll your applications now! 

Find out how

Join the Slack channel to stay up-to-date #slac-it-iam-community 

SLAC Cardinal Keys will simplify your login experience and provide stronger protection for your account. As SLAC expands the use of Cardinal Keys, they will become necessary for accessing applications. 

In alignment with Executive Order 14028 for ZTA and  Identity Access Management (IAM) compliance, everyone is encouraged to use a SLAC Cardinal Key for login. 

Get Your SLAC Cardinal Key

Installation Instructions

SLAC is embarking on a transformative journey towards enhanced security and streamlined access through the adoption of YubiKeys. YubiKeys offer a robust second-factor authentication solution, bolstering the existing username and password credentials with an additional layer of security.

By embracing YubiKeys, SLAC aims to mitigate the risks posed by evolving cyber threats while providing its workforce with dependable authentication mechanisms. Starting June 19, the Service Desk is available to help distribute and set up YubiKeys. 

YubiKey User Guide

Remote workers can request their YubiKey here.

A YubiKey should be ordered for new employees as part of their onboarding hardware setup.

Instead of “Issuing Credentials,” the Federation allows us to accept credentials from other institutions. This means that users can log into SLAC systems using  their home institution email.

Strongly affiliated personnel and researchers who are coming to SLAC from trusted institutions can use their home institution credentials (Federated ID) to log into approved SLAC applications. 

Application administrators: Enroll your applications for federation now! 

Enable Federated Login Experience

New IAM Consultation Services

Office Hours

Every Tuesday starting June 11, 2024
1-2 PM PDT

Join Zoom

Application administrators: Join the Slack channel  #slac-it-iam-community  to stay up-to-date.

Request Form

SLAC IAM Overview

SLAC’s IAM Program provides a structure for consolidating, monitoring, and dictating access to SLAC-owned information and systems. 

The SLAC’s IAM Program objectives are to:

  • Establish one identity system at SLAC, which includes all people who are affiliated with our work.
  • Create universal user registration processes for SLAC staff, facility users, and visitors.
  • Modernize SLAC’s IAM infrastructure to be adaptable, scaleable, and equipped to meet future research, mission objectives, and administrative needs. The modernization includes multi-factor authentication for an improved user experience and enhanced role-based permissions.
  • Transition to highly available, cloud-hosted, and geo-diverse systems and tools.
  • Comply with federal, Department of Energy (DoE), and Stanford University requirements and industry best practices.

The Identity and Access Governance Council was established to oversee SLAC's IAM efforts. Learn more here.

Identity Management at SLAC includes usernames, devices, services, groups, and other unique online identifiers associated with users or systems. It encompasses all aspects of identity creation, from initiating new user access to managing change processes, granting user access levels, authentication, and more.

By implementing a secure, centrally managed universal access system, SLAC will enhance the user experience and streamline the onboarding process. 

Current Onboarding Process

The current onboarding  process for new staff, strongly affiliated personnel, and researchers is complicated and cumbersome, requiring multiple forms, portals, and redundant data entry.  The new centralized SLAC Identity Portal will be a one-stop solution for onboarding.  

Future Onboarding Process

SLAC’s IAM Program is moving toward a streamlined future state where data is entered once in a single location, and applications will manage role-based access to SLAC-owned applications. This single source of information will increase visibility, improve onboarding efficiency, and support greater automation.

IAM will streamline onboarding

Access management/entitlements is the process of determining what individuals and which systems need access to various applications, devices, and networks.  By automating permissions based on roles, we are making access management/entitlements more secure and more robust.   

Based on role and job duties, people will be given access to applications and systems immediately, which means less downtime and the security of the information they need.  

Multi-Factor Authentication

One major tenet of Zero Trust is Multi-factor Authentication (MFA). MFA is necessary for our Lab’s security posture and to keep all of our data, applications, and personal information safe. We will be rolling out a new approach to MFA to our employees this summer in the form of YubiKeys. By adding this piece of hardware to our endpoints, we are able to MFA quicker and more securely than ever before.

ROLEMEMBER(S)
Primary POCBruce Vincent
Project ManagerErika Everingham
Information
Technology		Michelle Jost
Erwin Lopez
Kevin Purcell
Ross Wilper

Project updates

Yubikey

Primary Authentication Method

YubiKey Required

YubiKey will be the primary authentication method for employees. The deadline for all staff to adopt YubiKey is Sept. 30, 2024, when YubiKeys will also be required for international travel.  

Learn more

Web-enabled Single Sign-On

Login changes on SLAC applications

Web-enabled Single Sign-On

SLAC applications will start to adopt this new sign-on feature. Once sites are SSO enabled, there will be a new login experience with an option of logging in using either SLAC or Stanford credentials. 

What to expect

Applications administrator actions

SLAC Cardinal Key

Password-Less Authentication

Improve Your Login Experience with Cardinal Key

SLAC IT is excited to announce SLAC Cardinal Key, a digital credential installed on devices that offers passwordless logins for Stanford applications, is now available on most SLAC-managed devices.

Learn more 

SLAC Email Unix

Email Account Policies

UNIX Email Sunset

In partnership with SLAC IT Cybersecurity, the IAM Program is sunsetting the UNIX email application. New onboarding and entitlement policies will impact facility user sponsors and UNIX email account holders. Understand how this affects you and the available SLAC IT support to facilitate this transition.

Learn more 

IAM Project Timeline
  • Completed
    Update Password Policy
  • Completed
    UNIX Email End of Life

    November 1, 2023

    Learn more 

  • Available Now
    SLAC Cardinal Key

    Users: get your SLAC Cardinal Key now.

    Get SLAC Cardinal Key

  • Available Now for Free
    YubiKey

    The Service Desk will visit each building on campus to distribute a free YubiKey to each employee. YubiKeys will be available for a fee starting October 1, 2024.

    Request a YubiKey

  • Starting June 6, 2024
    Web-Enabled SSO for Application Administrators

    Web SSO enable your applications for ease of use and compliance with the ZTA order.

    Get Help

  • Starting June 6, 2024
    Federation & Role-based Access/Entitlements

    Application administrators: Enable your application with these features to take advantage of streamlined access.

    Visiting researchers and staff need access to certain applications while they're visiting. To ease access, this functionality will allow these visitors to use their home institution credentials to access these applications. Additionally, these features will automate access based on role.

    Federated login experience

    Role based access >

  • TBD
    SLAC Identity Portal Build

    Sponsors of non-employees to SLAC will have a new portal to begin the process of onboarding. 

  • TBD
    Sponsors of Non-Employee Training
  • TBD
    Other Identity Systems Decommissioned

    In accordance with the ZTA Order, there is to be one identity management system at SLAC. All other identity management systems will be decommissioned by 2025.