Profile

Entra and AD Object identifiers are implementation specific. They may or may not survive a restore. And if you delete the account, it isn't persistent. We use a name based ePPN, a SIS/HCM identifier, and an IAM specific identifier. The IAM specific identifier is what goes out everywhere it can. It ...

I would agree with the idea of going with a policy. If you have multiple accounts, then each system sending email has to be setup to send to the right location. And perhaps more importantly, you have to train all of your users on how to choose which email address to send to. They likely respond to the ...

Doesn't look like dates have been updated recently. Local Enterprise was set for last June, with medium/strong coming at the end of the year. Not all parts of the NIH will require this, as it is risk based depending on the service being accessed. https://auth.nih.gov/CertAuthV3/forms/help/compliancecheckhelp.html ...

Well, you bring up a good point. I think the hope is that where it matters, access for employees will be cleaned up. Certainly on our own local systems that happens by the IAM system automatically. I at least partially assume that the more removed from us such a system is, hopefully the less sensitive ...

At North Dakota State University, we do not reassign usernames. Once they are used, they are used. It is generally a bad idea to reassign, and it appears to be getting worse. You don't quite know what remote system you are federating to that might not correctly revoke access or delete historic data ...

We don't have the scheme you are talking about. However, given what we do have, people are confused as to what their username or email address is. We're in a shared O365 tenant at the university system level. The username is the same, but the domain is different. So people frequently think that their ...

We have an open position in the Enterprise Application Development group in the Division of IT at North Dakota State University. This position will focus on IAM and data processing. We use the InCommon Trusted Access Platform components of Grouper, midPoint, COmanage, Shibboleth. We also use CAS. We ...

The advantage of a Yubikey is that it can be used for more things. Users can use it for other services, and it is ready for you to use in the future for a passwordless service when you get there and/or your users start using something like that.