Introducing Catalyst to Catalyst: Ideas and Insights from InCommon Catalysts
Edited By Apryl Motley, InCommon Communications Lead, Internet2 Trust and Identity
The InCommon Team is committed to providing you with additional opportunities to benefit from the insights and expertise of InCommon Catalysts. To that end, we will feature them in InCommon News on a quarterly basis through a Q&A column, Catalyst to Catalyst.
Think of Catalyst to Catalyst as a quarterly, virtual advice panel providing multiple perspectives on a key IAM topic for the InCommon community. If there’s a question you would like for us to address in a future installment of Catalyst to Catalyst, contact InCommon Communications Lead Apryl Motley.
What is one trend on which you are making sure that your customers/clients stay updated?
The migration to JSON web tokens for authentication and authorization in research computing environments is an important trend that CILogon is helping our clients navigate. CILogon has added support for GA4GH passports, SciTokens, and WLCG tokens, in addition to our existing support for OpenID Connect’s ID Tokens, to help our clients with this migration. The Token Transition Update from the recent Open Science Grid All Hands Meeting provides additional updates about this trend.
—Jim Basney, Principal Research Scientist, CILogin; firstname.lastname@example.org
Identity governance and administration might be overlooked at first, but with the increasing maturity of IAM solutions, it has become increasingly evident that at least some part of identity governance is crucial.
The initial steps are exclusively within the identity management domain for most deployments. The main goals are to connect existing systems, clean up the data, and automate the synchronization and provisioning of identity objects. Even though this seems simple on paper, it might be a highly complex task that requires several months to execute, especially if you are migrating from an existing IdM solution. Identity governance features are often deployed in a later phase when you need to allow self-service for end users and introduce processes and policies.
Having IGA principles in mind from day one might help make early design decisions, which will help with the transition to IGA later in the project. It might help define which processes should be kept in the core IGA platform and which are acceptable to delegate to external components and how to integrate with external components that are working with identities.
Evolveum has IGA as one of our strategic priorities. Part of the IGA features and processes are already implemented in midPoint; others are in preparation. You can read more about progress on IGA here. We will also be happy to get your feedback directly via standard communication channels, upcoming webinars, or midPoint working group meetings.
—Igor Farinic, CEO, Evolveum; email@example.com
So far this year, what is the biggest IAM challenge you’ve seen the research and education community address?
We see a growing number of institutions that are consolidating on Azure AD or Okta as their primary SSO because 1) they want a single user experience to all their institutional applications, 2) they have staff retirements or recruiting or budget challenges and want to maximize current investments in Azure AD or Okta, and/or 3) they want to consolidate to reduce technical risks.
However, there are two gaps with Azure AD and Okta – neither support the CAS authentication protocol nor can the institution’s Identity Provider be registered in InCommon since they don’t support multilateral federation. For more information on this challenge, see Azure AD and Okta blog articles by Cirrus.
However, Cirrus has hosted solutions with the CAS Bridge and/or the SAML Federation Adapter Bridge. If you want to hear more about the Cirrus Bridges, our recent webinar includes implementation experiences from University of Detroit Mercy, Illinois Institute of Technology, and Millersville University.
—Dedra Chamberlin, CEO & Founder, Cirrus Identity; firstname.lastname@example.org
Unicon has seen several identity and access management challenges addressedbyboth the research and education communities. In reality, many institutions are unclear as to where they stand regarding their strategy, technology, and staff. They are finding, as the year progresses, that there are gaps within their IAM solution, but there isn’t a clear path to closing those gaps to ensure the system in place is fully secure, meeting needs of the institution and working as expected.
Several of our clients have attributed this to outdated strategies, a need for updated technologies, or the loss of talented identity professionals. Next steps are critical and essential to ensure the students, faculty, and staff have an IAM system to assist and provide access to the resources required to ensure their success. As a community, we can help institutions reduce complications and grow their knowledge base to improve confidence in their IAM solution.
—Charise M. Arrowood, Senior Director, Identity, Unicon Inc.; email@example.com
How is your organization supporting employees during what remains a difficult time for many people, particularly in terms of balancing personal and professional responsibilities?
One of the core responsibilities a business owes to its employees is to give them the foundation and freedom to pursue a healthy and fulfilling life outside of work. As part of that commitment, West Arete designed its time off policy to incentivize time spent away from work. Team members are immediately eligible for, and encouraged to take, four weeks of vacation, two weeks of absent time (doctor’s appointments, sick time, etc.), one cumulative week of federal holidays, and time allotted for community service. And in addition to those seven weeks, after 12 months of employment, all employees are eligible for our favorite radical benefit: a fully paid, completely unplugged, three-week sabbaticalthat must be taken by all salaried employees every calendar year.
The primary idea behind a mandatory sabbatical is to allow each person to do something deeply meaningful that they would not have had the opportunity to do with a full-time job. Some of our employees have used that time to build surfboards and cabins, while others have invested it with family and embarked on grand adventures. Every employee learns more about themselves and accomplishes things that were previously out of reach. West Arete’s goal to provide room for personal fulfillment is achieved, and the employees tend to return to work with clear minds and reignited motivation.
If you’d like to learn more about our mandatory sabbatical policy, the financial considerations, and how to implement them at your organization, we encourage you to watch this interview with me, our CEO Scott Woods, and founder of The Sabbatical Project, DJ DiDonna or reach out to us to chat!
—Natalie Simonson, Director of Outreach, West Arete; firstname.lastname@example.org