Northeastern accounts are getting a much-needed modernization. These efforts are expected to make the university’s identity and access management better suited to Northeastern’s global campus network and its community of faculty, students, staff, partners, and collaborators in many different locations. As part of a multi-year roadmap, multiple projects are underway this fall in support of this new accounts and access security model.
The long-term vision is for everybody at Northeastern to have access to what they need when they need it, and for it to happen frictionlessly. This includes a passwordless future where, biometrics and passkeys will be the norm, rather than having to remember long and complex passwords.
In this future state, logging in to a laptop with Windows Hello or Apple Touch ID will also log you into your email and other university systems based on your role or set of roles. The solution for this will also help reduce the need for as many short-term sponsored accounts as the university requires today.
This sounds like a dream, but how will we get there? According to Chief Information Security Officer Harry Hoffman, the university has a three-stage plan:
- Get rid of legacy systems.
- Move to a centralized authorization storage.
- Implement a zero-trust environment.
As of fall 2023, the university is still in the first phase, an essential building block for getting to a passwordless, frictionless future. The current projects to eliminate several older legacy systems touch on major services in the IAM portfolio. Though they’ve been underway for months, some of the most visible impacts only just surfaced this fall. Let’s take a look at those projects now.
Single sign-on (SSO)
Until recently, Shibboleth has been the tool powering the university’s single sign-on (SSO) experience for much of the university. Once you log in to an online application that uses Shibboleth, you’re able to access other university online resources without needing to log in again for each one.
However, another system, the legacy Microsoft ADFS, also powered account access for other university services including email, Teams, Adobe, and Student and Employee Hubs. This two-system setup has caused headaches for both the community and the IT staff supporting account access.
The 1Login initiative launched in early 2023 with the goals of streamlining the login experience and retiring both Shibboleth and Microsoft ADFS. In place of those systems, Northeastern SSO will be consolidated and transition to a single system, the more modern cloud-based Microsoft Azure Active Directory.
As of the time of this publication, the retirement of the legacy ADFS infrastructure has been completed and over 90% of the Shibboleth apps have migrated to Azure AD.
Like SSO, the sponsored accounts service also falls under the umbrella of IAM. Sponsored accounts are temporary accounts that provide the access needed to conduct university-related academic and administrative work. The roles that often require a sponsored account include visiting faculty, contractors and consultants, student employees, and graduate research assistants.
Sponsored accounts have been managed on another legacy system in the IAM stack, Waveset. This past September, IT Services took the first step in transforming the sponsored account management process by transitioning it away from Waveset and updating it to support audit-recommended policy changes that improve security.
In the first phase of the sponsored accounts transformation released on Sept. 22, the process for requesting sponsored accounts moved into ServiceNow to ensure a consistent approach as other services and to improve the university’s security posture. ITS also launched a new sponsored account dashboard on ServiceNow in October.
The next release scheduled for Nov. 17 will add enhancements to the process that are designed to process account updates and terminations more quickly and to introduce new streamlined account expiration email reminders that will improve the experience for sponsors, especially those with multiple sponsorships expiring around the same time.
Over time, as the IAM roadmap is implemented, the need for sponsored accounts will diminish. In lieu of sponsored accounts, Northeastern will focus on the use of identity federation, a system of trust between organizations that allows the sharing of information for the purpose of authorizing users to access resources, as well as social logins. This will allow individuals to continue using their own organizational accounts. For example, visiting faculty or consultants from other institutions could get temporary access to the Northeastern systems they would need without needing new accounts.
Faculty and staff accounts
A third major project underway this fall is one to migrate faculty and staff accounts to the same system that currently manages students, alumni, and family accounts. Migrating faculty and staff accounts, as well as several other lower-profile services, will allow ITS to fully retire Waveset. It will also consolidate management of all accounts to one system, Saviynt, providing more consistency across all account types for the account holders and for the teams supporting the technology.
The most immediate impact of this project for the wider university community once it goes live in spring 2024 is how accounts are claimed and activated. Faculty, staff, and sponsored account holders will receive an automated email as soon as it’s time to activate new accounts. This email will have a unique token URL for each account that, when visited, will walk the employee through the activation process, including enrollment in two-factor authentication.
As this release gets closer, ITS will provide more information to help the university through the transition. Information and processes will be updated at accounts.northeastern.edu and on the Tech Service Portal as they are available.
The road ahead
The university is still in the early stages of efforts to transform the access and security model governing online identities and accounts. The projects outlined here provide a meaningful foundation for the next phases of the long-term roadmap. While some of the early changes may be seen as inconveniences or only minor in nature, they’re just the initial steps towards the more significant transformation that is coming.
Updated on Feb. 13, 2024, to include an updated timeline for faculty and staff accounts from December 2023 to spring 2024.