IAM@HMC

What is the Identity and Access Management Initiative?

CIS launched an Identity and Access Management initiative in late 2011, after two years of exploration of technical options. The initiative, which we are calling IAM@HMC, is designed to address several issues:

  • We have multiple systems with separate User IDs and passwords. This can be very confusing and time consuming for users.
  • Account creation is currently a manual process requiring coordination between multiple departments within HMC and with other Claremont Colleges.
  • There is no programmatic way of providing access to resources for users with different roles.
  • Timely and accurate deactivation of accounts is also a manual process, and a challenge across the College.

In late 2011, HMC and CUC chose to partner with Fischer International for the IAM@HMC initiative, which has several components that will address the issues above. Shortly thereafter, we introduced HMC Credentials. The components of the project are being implemented in phases.

Phase 1 (completed January 2012)

  • Single Sign On (SSO) for Google Apps for Education (GAE) and Ultipro.
  • Design of HMC Credentials, to use a single User ID and password to log on to multiple systems.

Phase 2 (completed November 2013)

  • Initial setup of Password and Account Management Kiosk. (password self-service and security questions).
  • HMC Password Policy implemented in HMC password and account management portal, often referred to as the Password and Account Management Kiosk.
  • Password synchronization for Office365 and Active Directory to existing passwords for GAE and UltiPro.
  • Join InCommon.

Phase 3 (target completion May 2014)

  • Develop requirements document outlining processes for Identity management.
  • Build Source of Authority (SOA) combining information from CX and Ultipro.
  • Automated account provisioning and deprovisioning based on information from SOA.

Phase 4 (target completion June 2014)

  • Portal Single Sign On and Account Provisioning.
  • Activation of InCommon Federation for sites such NSF, XSEDE, Energy Sciences Network, and Educause.

Future Phases

  • High privilege access management for systems administration tasks. This will increase security on our systems.
  • Integration of Claremont Colleges Common Authentication System (CAS), which will allow us to use HMC Credentials across applications housed at other Colleges
  • Addition of other applications to the single sign on environment.
  • Development of two-factor authentication.