Penn Community Re-Engineering Project

Penn Community Re-Engineering Project banner

As part of Penn’s Identity & Access Management (IAM) Program, Penn’s core IAM infrastructure has undergone a re-engineering to replace decades-old, custom-built identity management systems and processes with a standards-based, modern solution to strengthen Penn’s overall security posture and ability to comply with emerging global regulatory requirements. The new Penn Community (with SailPoint IIQ as the underlying identity engine) was implemented in phases.

Who Was Affected

As this project was infrastructure-based, there was minimal disruption for existing PennKey holders – users continued to access their Penn resources as before when the re-engineering was completed. The audiences affected by the project were source data owners (identity source systems), target system owners (consumers of Penn Community data), and ISC IAM-related service owners. The IAM project team collaborated with representatives from these groups through all phases of the project. 

Phase 1 Rollout - 2021

Phase 1 rollout was completed November 12-15, 2021 and included the implementation of SailPoint Identity IQ (IIQ) as the underlying identity engine for Penn Community. The affected audience was limited to Penn Community administrators and University personnel supporting identity conflict resolution (approximately 10 staff; Admissions, Alumni, HR, etc.). The new solution runs on a Penn-dedicated infrastructure hosted by Amazon Web Services (AWS), providing a flexible architecture that can grow with the University. Phase 1 rollout included the following:

  • The new Penn Community (powered by SailPoint IIQ) populated with source/historical data
  • PennIDs created by the new Penn Community
  • Legacy Penn Community became a consumer of the new Penn Community powered by SailPoint IIQ; legacy Penn Community remains in place during migration of consumers; no “big bang” transition
  • Persistent Bulk Load user access was deactivated; as of November 15, 2021, the Penn Community support team is handling persistent bulk requests until the new, improved service is available on the new SailPoint IIQ platform 

Post-Live Support

Phase 2 Rollout - 2022-2023

In Phase 2 (2022-2023), we leveraged our new identity management system’s capabilities to improve the security and efficiency of University-wide identity and access management processes in phased functional releases. Goals included:

  • Implementing future-state design for identity management
  • Deploying infrastructure to support future access management capabilities
  • Legacy Penn Community retirement (longer-term goal)

Phase 2 included improvements in the following areas:

  • User Experience  
    • Dramatic improvements for new PennKey creation and password resets
    • Replacement of custom-built user registration and maintenance pages with vendor products
  • Security
    • Two-Step Verification overhaul – direct integration with Duo Services, retirement of custom Penn middleware/layers
    • Tighter controls on registration
    • Ability to rapidly adopt emerging authentication technologies to keep pace with evolving security challenges
    • Improved UI and functionality for PennKey administrators
    • Continued prototyping of “passwordless”/FIDO2-based authentication
  • Efficiency
    • Continued improvements in the delivery of cleaner identity data across Penn systems
    • Lower effort for future enterprise software integrations
    • Adaptive rules and controls for entering and managing identity data
    • Robust auditing and logging of all identity transactions

Areas of new functionality included:

  • Auditing and reporting of identity updates and security events
  • Phased integrations with key, business-critical University systems to provide automated, rules-based provisioning and de-provisioning of user accounts and access privileges

Benefits

Following are the benefits of the project:

  • Enhance security by assigning privileges automatically based on known user identity data and predefined rules
  • Provide an audit trail for – and periodic recertification of – user access rights to ensure users have the correct privileges and to explain how and why they receive them
  • Provide significant user experience improvements and an accelerated onboarding process
  • Streamline request-approval processes and automate account de-provisioning
  • Speed application development with modern identity and access APIs and tools
  • Integrate with on-premises or cloud-hosted applications and/or frameworks to provide real-time provisioning and de-provisioning of user accounts and identity data to partners inside and outside of Penn