Identity and Access Management (IAM)
The way we do business at SLAC is changing so that we can expand our impact in science and research. SLAC IT must create safe and efficient identity and access processes to support this growth and comply with federal mandates. The SLAC IAM Program provides the crucial infrastructure to comply with federal regulations while streamlining user access and account initiation.
Keep reading to understand the various project components, milestones, compliance deadlines, and what this means for SLAC users, visitors, and managers.
IAM Program Overview
SLAC IT’S IAM Program consists of three critical domains. Within each, several related projects will implement a single sign-on experience and a modern, adaptable, and scalable user access infrastructure.
SLAC IAM Components
SLAC IT’s IAM Program consists of three critical domains. Within each, several related projects will implement a single sign-on experience and a modern, adaptable, and scalable user access infrastructure.
The SLAC IAM Program will accomplish several critical objectives.
The program objectives are:
- Establish a single sign-on experience for all strongly affiliated SLAC staff.
- Consolidate user accounts so there is just one Stanford/SLAC user account to manage per individual.
- Create universal user registration processes for SLAC staff, facility users, and visitors.
- Modernize SLAC’s IAM infrastructure to be adaptable, scaleable, and equipped to meet future research, mission objectives, and administrative needs.
- Transition to systems and tools that are highly available, cloud-hosted, and geo-diverse.
- Comply with federal, Department of Energy (DoE), and Stanford University requirements and industry best practices.
Identity Management includes usernames and devices, services, groups, and other unique online identifiers associated with SLAC users or systems. It also encompasses all aspects of identity creation, from initiating new user access to managing change processes, granting user access levels, authentication, and more.
Understand how SLAC defines person and device identity and the IAM Program will simplify and improve our identity management processes.
Access Management refers to the process by which SLAC determines which individuals and systems need access to various applications, devices, and networks. Access control criteria are derived from an individual’s organizational affiliation or role or based on project needs.
The SLAC IAM Program will consistently and securely apply access control policies per best practices and lab needs. Under the new IAM infrastructure, administrators and managers from across the organization can better manage user groups, group definitions, and staff and facility access.
ROLE | MEMBER(S) |
---|---|
Primary POC | Bruce Vincent |
Project Manager | Erika Everingham |
Information Technology | Michelle Jost Erwin Lopez Kevin Purcell Ross Wilper |
Project updates
Onboarding Made Easier •
Streamlined Onboarding & Single Sign-On (SSO)
The IAM Program is making it easier than ever to come to SLAC. The user onboarding process is simplified with a unified approach for onboarding new hires and facility users. Multiple identity systems are consolidated into one with single sign-on, automated permission granting, and two-way identity verification from approved partners.
New hires and existing facilities users will access all SLAC systems with only a SUNET ID. This means everyone will get to work sooner in fewer steps.
Email Account Policies •
UNIX Email Sunset
In partnership with SLAC IT Cybersecurity, the IAM Program is sunsetting the UNIX email application. New onboarding and entitlement policies will impact facility user sponsors and UNIX email account holders. Understand how this affects you and the available SLAC IT support to facilitate this transition.
Password-Less Authentication •
Improve Your Login Experience with Cardinal Key
SLAC IT is excited to announce SLAC Cardinal Key, a digital credential installed on devices that offers passwordless logins for Stanford applications, is now available on most SLAC-managed devices.
-
-
CompletedCardinal Key Integration & SSO
-
In ProgressSLAC Registration Portal Build
November 30, 2023
People who need to visit SLAC or use SLAC resources will have a new portal to request access and complete forms all in one place.
-
In ProgressFederation for SSH
Visiting researchers and staff need access to certain applications while they're visiting. To ease access, this functionality will allow these visitors to use their home institution credentials to access these applications.
-
In ProgressGrouper
Grouper allows for role-based permissioning. Additionally, applications that are enrolled in Grouper will be able to use federated IDs (home institution credentials). For example, if a researcher comes to SLAC from the University of Tennessee, and sponsored by a SLAC employee, they will be able to use their utk.edu credentials to access approved applications.
-
MilestoneYubikey Service
-
MilestoneUpdate Password Policy
Final testing of forms and workflow for SLAC registration portal and training opportunities announced.
-
MilestoneMFA for SSH
-
MilestoneStakeholder Training
-
MilestoneIdentity Access Management Portal & UFVA
Shared two-way trust with Stanford University
-
MilestoneOnboarding & User Federation Begins
-
MilestoneHeimdal & Other Identity Systems Decomissioned
-
MilestonePeopleSoft Non-Employee Data Decomissioned
-
MilestoneFull PeopleSoft Decomissioning
-
MilestoneOnboarding & User Federation Concludes