As part of Penn’s Identity & Access Management (IAM) program, Penn’s core IAM infrastructure is undergoing a re-engineering to replace decades-old, custom-built identity management systems and processes with a standards-based, modern solution to strengthen Penn’s overall security posture and ability to comply with emerging global regulatory requirements. The new Penn Community (with SailPoint IIQ as the underlying identity engine) will be implemented in phases (see Timeline).
Who’s Affected
As this project is infrastructure-based, there will be minimal disruption for existing PennKey holders – users will continue to access their Penn resources as before when the re-engineering is complete. The audiences affected by the project are source data owners (identity source systems), target system owners (consumers of Penn Community data), and ISC IAM-related service owners. The IAM project team will collaborate with representatives from these groups through all phases of the project (see Stakeholders and Project Participants).
Phase 1 rollout was completed November 12-15, 2021 and included the implementation of SailPoint Identity IQ (IIQ) as the underlying identity engine for Penn Community. The affected audience was limited to Penn Community administrators and University personnel supporting identity conflict resolution (approximately 10 staff; Admissions, Alumni, HR, etc.). The new solution runs on a Penn-dedicated infrastructure hosted by Amazon Web Services (AWS), providing a flexible architecture that can grow with the University. Phase 1 rollout included the following:
- The new Penn Community (powered by SailPoint IIQ) populated with source/historical data
- PennIDs created by the new Penn Community
- Legacy Penn Community became a consumer of the new Penn Community powered by SailPoint IIQ; legacy Penn Community remains in place during migration of consumers; no “big bang” transition
- Persistent Bulk Load user access was deactivated; as of November 15, 2021, the Penn Community support team is handling persistent bulk requests until the new, improved service is available on the new SailPoint IIQ platform (mid-2022)
More details are available on the Penn Community website.
Post-Live Support
- Issues can be submitted through ISC’s Client Care (help@isc.upenn.edu)
In Phase 2 (2022-2023), we will leverage our new identity management system’s capabilities to improve the security and efficiency of University-wide identity and access management processes in phased functional releases. Goals include:
- Implementing future-state design for identity management
- Deploying infrastructure to support future access management capabilities
- Legacy Penn Community retirement (longer-term goal)
Phase 2 includes improvements in the following areas:
- User Experience
- Dramatic improvements for new PennKey creation and password resets
- Replacement of custom-built user registration and maintenance pages with vendor products
- Security
- Two-Step Verification overhaul – direct integration with Duo Services, retirement of custom Penn middleware/layers
- Tighter controls on registration
- Ability to rapidly adopt emerging authentication technologies to keep pace with evolving security challenges
- Improved UI and functionality for PennKey administrators
- Continued prototyping of “passwordless”/FIDO2-based authentication
- Efficiency
- Continued improvements in the delivery of cleaner identity data across Penn systems
- Lower effort for future enterprise software integrations
- Adaptive rules and controls for entering and managing identity data
- Robust auditing and logging of all identity transactions
Areas of new functionality will include:
- Auditing and reporting of identity updates and security events
- Phased integrations with key, business-critical University systems to provide automated, rules-based provisioning and de-provisioning of user accounts and access privileges
Benefits
Following are the benefits of the project:
- Enhance security by assigning privileges automatically based on known user identity data and predefined rules
- Provide an audit trail for – and periodic recertification of – user access rights to ensure users have the correct privileges and to explain how and why they receive them
- Provide significant user experience improvements and an accelerated onboarding process
- Streamline request-approval processes and automate account de-provisioning
- Speed application development with modern identity and access APIs and tools
- Integrate with on-premises or cloud-hosted applications and/or frameworks to provide real-time provisioning and de-provisioning of user accounts and identity data to partners inside and outside of Penn