The Vendor is required to provide identity access management (IAM) environment as we transition from legacy on-premises directory and authentication infrastructure toward an entra id-centered architecture.
- Target-state direction: Entra id becomes the primary authentication and directly backbone, banner remains the system of record, cirrus identity bridge preserves in-common federation, Microsoft authenticator replaces duo for the general population (duo retained for Linux ssh only), and a vendor-supported IAM platform replaces homegrown lifecycle and password automation.
- Requirement:
• Create a clear, central way to manage identities so that user roles, attributes, and groups are defined in one place and consistently pushed to LDAP, active directory, google, and entra id.
• Reduce number of sign-in methods and move toward a single primary approach based on entra id, rather than relying on shibboleth, direct LDAP logins (Moodle, people admin, ssh), and other legacy methods.
• Turn on MFA for everyone using university systems-faculty, staff, students, alumni (as appropriate), guests, and shared accounts-aligned with in-common and NIST 800-63 guidelines.
• Update the university password policy so end users are required to change their own passwords, with modern security practices including support for future password less options.
• Replace in-house password reset tools with a modern, self-service password solution that is easier to maintain, reduces help desk calls, and works for all main user group.
• Implement an IAM solution that automates account creation, changes, and removal (onboarding/off-boarding), based on defined roles, personas, and attributes.
• Put a better process in place for managing admin and privileged accounts so they are separate from normal user accounts, follow least-privilege principles, and are easier to track and audit.
• Make sure key identity attributes are kept in sync between LDAP and active directory so that single sign-on and application access work reliably and consistently.
• Shift sign-in to a cloud-based model where possible, so users can still log in to critical services even if the campus network is down.
• Maintain or improve support for in-common federation using cirrus or another approach, so research and scholarship applications that depend on saml, cas, or oidc continue to work.
• Reduce technical debt by retiring or replacing older custom scripts written in php, perl, java, and other languages, and moving that logic into supported platforms or tools.
• Extend MFA or other strong controls to infrastructure access such as ssh, rdp, linux systems, and similar entry points — not just web applications.
• Support identities for people who are not traditional banner users (high school visitors, dualen rolled students, visiting scholars, OCC students in dorms, vendors, volunteers) without requiring full ERP records, while still controlling their access.
• Improve audit and compliance readiness through a more consistent identity and authentication model across directories, making it easier to pass security reviews and reduce risk.
• Define clear roles, personas, and attributes so access can be managed consistently across ~600 applications and the mix of google workspace, Microsoft 365 / Entra id, AWS, and on-Prem systems.
• Build an identity foundation that will support future needs — possible azure workloads, expanding research, and cloud services — without locking the university into a single vendor path.
Set up free email alerts and get notified when new government bids, tenders and procurement opportunities match your industry and location. Choose daily or weekly delivery.