Project • On Schedule

Identity and Access Management (IAM)

The way we do business at SLAC is changing so that we can expand our impact in science and research. SLAC IT must create safe and efficient identity and access processes to support this growth and comply with federal mandates. The SLAC IAM Program provides the crucial infrastructure to comply with federal regulations while streamlining user access and account initiation. 

Keep reading to understand the various project components, milestones, compliance deadlines, and what this means for SLAC users, visitors, and managers.

IAM Program Overview

SLAC IT’S IAM Program consists of three critical domains. Within each, several related projects will implement a single sign-on experience and a modern, adaptable, and scalable user access infrastructure.

SLAC's Current Identity and Access Management Program Overview SLAC's Future Identity and Access Management Program Overview

SLAC IAM Components

SLAC IT’s IAM Program consists of three critical domains. Within each, several related projects will implement a single sign-on experience and a modern, adaptable, and scalable user access infrastructure.

The SLAC IAM Program will accomplish several critical objectives.

The program objectives are:

  • Establish a single sign-on experience for all strongly affiliated SLAC staff.
  • Consolidate user accounts so there is just one Stanford/SLAC user account to manage per individual. 
  • Create universal user registration processes for SLAC staff, facility users, and visitors.
  • Modernize SLAC’s IAM infrastructure to be adaptable, scaleable, and equipped to meet future research, mission objectives, and administrative needs.
  • Transition to systems and tools that are highly available, cloud-hosted, and geo-diverse.
  • Comply with federal, Department of Energy (DoE), and Stanford University requirements and industry best practices.

Identity Management includes usernames and devices, services, groups, and other unique online identifiers associated with SLAC users or systems. It also encompasses all aspects of identity creation, from initiating new user access to managing change processes, granting user access levels, authentication, and more.

Understand how SLAC defines person and device identity and the IAM Program will simplify and improve our identity management processes.

Access Management refers to the process by which SLAC determines which individuals and systems need access to various applications, devices, and networks. Access control criteria are derived from an individual’s organizational affiliation or role or based on project needs.

The SLAC IAM Program will consistently and securely apply access control policies per best practices and lab needs. Under the new IAM infrastructure, administrators and managers from across the organization can better manage user groups, group definitions, and staff and facility access

ROLEMEMBER(S)
Primary POCBruce Vincent
Project ManagerErika Everingham
Information
Technology
Michelle Jost
Erwin Lopez
Kevin Purcell
Ross Wilper

Project updates

People Onboarding

Onboarding Made Easier

Streamlined Onboarding & Single Sign-On (SSO)

The IAM Program is making it easier than ever to come to SLAC. The user onboarding process is simplified with a unified approach for onboarding new hires and facility users. Multiple identity systems are consolidated into one with single sign-on, automated permission granting, and two-way identity verification from approved partners. 

New hires and existing facilities users will access all SLAC systems with only a SUNET ID. This means everyone will get to work sooner in fewer steps.

SLAC Email Unix

Email Account Policies

UNIX Email Sunset

In partnership with SLAC IT Cybersecurity, the IAM Program is sunsetting the UNIX email application. New onboarding and entitlement policies will impact facility user sponsors and UNIX email account holders. Understand how this affects you and the available SLAC IT support to facilitate this transition.

Learn more →

Cardinal Key

Password-Less Authentication

Improve Your Login Experience with Cardinal Key

SLAC IT is excited to announce SLAC Cardinal Key, a digital credential installed on devices that offers passwordless logins for Stanford applications, is now available on most SLAC-managed devices.

Learn more →

IAM Project Timeline
  • Completed
    UNIX Email End of Life

    November 1, 2023

    Learn more →

  • Completed
    Cardinal Key Integration & SSO
  • In Progress
    SLAC Registration Portal Build

    November 30, 2023

    People who need to visit SLAC or use SLAC resources will have a new portal to request access and complete forms all in one place. 

  • In Progress
    Federation for SSH

    Visiting researchers and staff need access to certain applications while they're visiting. To ease access, this functionality will allow these visitors to use their home institution credentials to access these applications.

  • In Progress
    Grouper

    Grouper allows for role-based permissioning. Additionally, applications that are enrolled in Grouper will be able to use federated IDs (home institution credentials). For example, if a researcher comes to SLAC from the University of Tennessee, and sponsored by a SLAC employee, they will be able to use their utk.edu credentials to access approved applications. 

  • Milestone
    Yubi Key Service
  • Milestone
    Update Password Policy

    Final testing of forms and workflow for SLAC registration portal and training opportunities announced.

  • Milestone
    MFA for SSH
  • Milestone
    Stakeholder Training
  • Milestone
    Identity Access Management Portal & UFVA

    Shared two-way trust with Stanford University

  • Milestone
    Onboarding & User Federation Begins
  • Milestone
    Heimdal & Other Identity Systems Decomissioned
  • Milestone
    People Soft Non-Employee Data Decomissioned
  • Milestone
    Full People Soft Decomissioning
  • Milestone
    Onboarding & User Federation Concludes