IAM Services and Related Resources

Introduction

The University of Hawai'i Identity Management system (UHIMS) collects, consolidates and makes available information concerning people associated with the University.   This allows UH to establish and manage a single centralized repository of person information and to provide a single, unique identity for each person even as their relationship with UH changes over time.  Additionally, UHIMS provides UH the ability to automatically enable and disable access to online resources, such as email, Laulima, eCafe, and lab computers.

One of the early accomplishments of UHIMS was to establish the UH Number as a replacement for the Social Security Number (SSN) in order to better protect our community from identity theft. The UH Number is sometimes referenced as the "employee ID number" and the "student ID number." Whether a person is a student, faculty, staff, affiliate, ohana, retiree, or some combination of these, a person has but one UH Number appropriately known as the "UH Number."  Closely associated with the UH Number is a UH Username. The UH Username, along with a unique password of your choice, will be your key to using the University's online resources.

As a member of the UH community, one sometimes traverses many roles and may even be in multiple roles at once.  UHIMS tracks a person's roles to help ensure that each person has access to the appropriate online resources and services.  Additionally, UHIMS sends email notifications to each person when a role change is detected.  These notifications explain how the role change impacts one's access to services, one's listing in the UH Online Directory, etc.

Identity and Access Management (IAM) services are supported by the IAM group. Please email the IAM team if there are any questions.

Identity Functions

Identity Management

• User Lifecycle Management: Creation, updating, and deletion of user identities across systems, ensuring each individual has the correct access for their role.

• Authentication Services: Mechanisms to verify user identities, such as passwords, multi-factor authentication (MFA), and biometrics.

• Directory Services: Centralized repositories (e.g., LDAP or Active Directory) for storing and managing identity data.

• Access Management: Assigning and enforcing permissions and roles to users for systems and resources.

• Self-Service Features: Tools for users to reset passwords, update personal information, or request access.

Identity Governance

• Access Control Policies: Establishing rules for who can access what, and under what circumstances.

• Role Management: Defining roles and mapping them to access rights to enforce least-privilege principles. Higher id institutions have very complex requirements for this.

• Compliance and Auditability: Ensuring adherence to regulatory requirements (e.g., FERPA, HIPAA, GLBA) through access reviews, logging, and reporting.

• Identity Analytics: Identifying anomalies or risks in user access, such as excessive permissions or orphaned accounts.

• Certifications and Approvals: Managing workflows for periodic review and re-certification of user access rights.

Identity Federation

• Single Sign-On (SSO) Across Organizations: Enabling users to authenticate once and access resources across multiple organizations or domains.

• Federated protocols: Use of standards such as SAML, OAuth, and OpenID Connect to facilitate secure sharing of authentication data.

• Trust relationships: Establishing agreements between entities to securely exchange identity data for authentication. UH is a member of the InCommon Federation and eduGAIN, an International academic federation of federations.

• Cross-domain access: Supporting access to services or applications hosted in different administrative domains without duplicating user accounts.

• User attribute exchange: Sharing relevant user attributes (e.g., roles, affiliations) across systems to facilitate access control decisions.

Table of Contents

• For Individuals - UH Username Services, Managing Your Identity Information
• For Campus Identity Reps - UH Identity Management Services
• For Campus Technology Administrators - ID Management and Authentication Solutions
• For UH Developers - Developer Resources
• General Info - UH Identity and Access Management Overview
• Terminology - Terminology, Standard Codes and Definitions

For Individuals - UH Username Services, Identity Information Resources

• Identity Info: About your UH Username and UH Number
• Identity Info: ACER - Online Acknowledgements and Certifications
• Identity Info: UH Secure Passwords Practices (password selection requirements)
• Identity Info: UH Username Services (password changes and resets, email lists requests, UH Number lookup, ...)
• Directory Info: UH Online Directory: UH Faculty/Staff Directory
• Assistance: Assistance with your UH Username
• Security: Guidelines for Protecting your Personal Identity Information
• Security: UH Executive Policy on Security and Protection of Sensitive Information
• Information: UH Online Resources Access by Role

For Campus Identity Representatives - UH Identity Management Services

• Information: UHIMC and WPMS Frequently Asked Questions

For Campus Technology Administrators - ID Management and Authentication Solutions

• How To: Implement Authentication on Lab Computers:
  • Instructions for PC Labs
  • Instructions for Mac Labs
  • Instructions for Mac Labs with Mac OS X 10.7
  • Instructions for Linux Labs
• How To: Implement Passthrough Authentication from a Departmental LDAP Server to UH LDAP Servers
• How To: Request Federated Access to 3rd-Party Service Providers
• Information: Business Critical Applications Registration registration
• Information: UH OID Assignments
• Information: InCommon Participation
• Overview: IAM Services Overview

For Developers - Developer Resources

• How To: Implement the UH Login service - includes the URL Registration form
• How To: Implement UH LDAP Authentication
• How To: Implement UHIMS Events
• How To: Utilize the UH Message Broker
• Information: Duo Security Integration implementation requests
• Information: IAM Blog
• Information: IAM Data Element Dictionary
• Information: UH Role Assignments and Transitions
• Information: The UhEduPerson LDAP Recipe
• Technical Forum: UH applications developers and IT managers F2F; agendas and discussions
• Email Discussion List: UH forum for applications developers and IT managers.

General Info - UH Identity and Access Management Overview

• UH Form: Data Access Agreement Forms for authorized access to sensitive data
• Information: UH Online Resources Access by Role
• Information: UH Role Assignments and Transitions

Terminology - Terminology, Standard Codes and Definitions

• IAM Terminology