...
Our IdM integrates with Banner, PeopleSoft, Kuali and other Systems of Record. For enterprise authentication we utilize CAS3 and are in the process of implementing CAS via Shibboleth version3CAS and for federated authentication we utilize Shibboleth with CAS providing the user interface. Our IdM maintains LDAP and AD directories.
The overview of our IAM Services should give you an idea of our overall IAM infrastructure (overview).
...
Have you implemented federated directory? From the start?
We have been running a Shibboleth IdP service for many years and are members of the InCommon Federation. Shib is also used for authentication to Google Applications for Education.For a list of our Shib attribute release policies visit:
What are your account retention policies?
Accounts are never recycled and for most users, as long as they do no evil, their accounts can last for the rest of their lives. Our IAM identity management system has business rules that ensure that all accounts are subject to a life cycle. If a person is not currently in one of our SoRs, then she must annually renew her account since we have no other way to determine if she is still using it. We send reminder email emails with an embedded renewal token.
How do you avoid duplicate identities?
We donaren't entirely successful, but we are continually working toward reducing the rate of creation. Training and good IdM tools to help identify potential duplicates help. We have determined that the vast majority of duplicate entrees are introduced by our student information system; the higher your the number of foreign students (no SSN) the greater the chances of duplication. We are currently investigating the use of heuristics that identify new entries that have a high probability of duplication so that we may flag them for our Help Desk to follow up before we create a new record in our Person Registry.