University of Illinois Urbana-Champaign graduates 350,000 identities to cloud in 48 hours

Perpetuating greatness

The University of Illinois Urbana-Champaign (U. of I.) aspires to change the world through its commitment to excellence, achievement, impact, and leadership. With multiple Pulitzer Prizes and Nobel Prizes awarded to alumni and faculty, and a rich history of innovative research, it’s an understandable ambition.

But that academic excellence also invites targeting by malicious actors, who seek access to world-class confidential research materials and those with influence across many fields. Protecting thousands of student, staff, faculty, and affiliate identities in the dynamic university environment is a challenge that Technology Services, the university’s central IT unit, embraces.

Unification was key for U. of I.’s Technology Services. The team found the capabilities it needed to unite a sprawling estate of highly diverse users with Microsoft Azure Active Directory (Azure AD). 

Overseeing a constantly shifting identity pool

U. of I. faces the identity management challenges shared by higher education institutions everywhere. New students enter and others graduate from the university every year, sparking the onboarding and offboarding of 10,000 to 15,000 identities. The more stable, roughly 22,000 staff and faculty identities have diverse needs, which complicate standardization.

“Much of the complexity we deal with stems from the scale of separate ecosystems,” says Jeff Domeyer, Assistant Director of Identity and Access Management at Technology Services. He likens the plethora of departments and research groups to a collection of independent cities. Often small with unique IT needs, these groups need the flexibility Technology Services offers as it helps these groups fulfill their requirements. “We try to support units across the U. of I. System in accomplishing their goals,” he continues. “If we're not able to do that, units will solve their problems on their own, potentially without cybersecurity resources or awareness.”

Adding identities to U. of I.’s vast user network further complicates identity management. For Charles Geigner, acting Interim Chief Privacy and Security Officer at Technology Services, stewardship is key to maximizing both safety and self-sufficiency. “We’re stewards of the model for identity management, but we don’t control the requirements that the vast number of departments and teams have,” he explains. When a university-mandated identity system doesn’t work for a particular group, the group might resort to its own approach. “When we provide a good user experience, people are more likely to adopt those services,” Geigner continues. “That’s why we focus on people-centric design.”

Unifying complexity created by AD FS with Azure AD

In the past, U. of I. approached security for identities by micro-segmenting the network, basing trust on IP addresses. “We’re throwing that out the window,” affirms Geigner. “We’ve created a transactional, smarter security model within the broader context of Zero Trust initiatives. With Azure AD, we’ve built a robust ecosystem to ensure that people are who they say they are, using their attributes in multiple ways, like role-based access control. It makes everyone’s life easier.”

Before that could happen, U. of I. needed to address the complication created by multiple Active Directory Federation Services (AD FS). Higher education had come to depend on budget-neutral, open-source single sign-on (SSO) systems for identity management, like Shibboleth. The university also uses InCommon, a federated SSO service used for collaboration by universities around the globe. InCommon federation allows researchers from worldwide who partner with U. of I. researchers to authenticate with their home institution credentials for easy collaboration—essential to accelerating cutting-edge research.

The University of Illinois System had multiple instances of Azure AD being used across the other universities in the system (University of Illinois Urbana-Champaign, University of Illinois Springfield, and University of Illinois Chicago), that were not connected. The complex nature of multiple instances of Azure AD across university boundaries complicated signing into services. The team at U. of I. had long aspired to provide the convenience of a unified SSO capability for faculty, staff, and students within the University of Illinois system.

Consolidating identity management with the rest of its Microsoft tooling was a promising avenue toward that goal. “After running Microsoft Active Directory, AD FS, and Shibboleth separately, we’re embracing Microsoft as the centerpiece of our SSO architecture,” says Erik Coleman, Identity and Access Architect at University of Illinois Urbana-Champaign. “It’s a significant advantage to have an entire stack, from Microsoft 365 on the consumer end all the way through authentication via Azure AD, to an array of cloud components intertwined in a complete, coordinated ecosystem.”

The team prepared carefully to provide Azure AD as the university’s gateway to both Microsoft 365 productivity apps and to academic research systems authenticated by Shibboleth. Coleman conceptualized a consolidated, more unified SSO in which Shibboleth would forward credential validation to Azure AD. “We benefit from Conditional Access policies, device health, and posture with Azure AD, so we can use metrics collected in the cloud to make decisions at the time of authentication,” he explains. “Those advantages weren’t possible with our other sign-on systems.”

Coordinating those authentication services with Azure AD would further elevate security and set the stage for the future. “We needed the high level of assurance that users are who we think they are,” explains Devin Gengelbach, Lead Identity and Access Management Specialist at Technology Services. “The logic in the Azure AD authentication flow validates user access to sites and resources, and also positions us for more advanced methods like implementing passwordless authentication.”

Sharing lessons learned from switching to Azure AD in one weekend 

Technology Services set the stage for success by establishing the practice of syncing credentials to the cloud with Azure AD Connect. “Azure AD Connect was key to our preparation for migration,” says Gengelbach. “When migration weekend came, it was simple to move the federation from AD FS to Azure AD.”

Understanding the user base was key. As Geigner points out, the complex mix of identity types and independence of so many diverse groups calls for a very different approach than that used in corporate settings. “We’re stewards of the model, but we have no control over the needs of our users,” he says. “We have to gather everyone’s differing requirements, and that’s a huge challenge.” That made communication vital to ensuring success, both before and during the rollout. The team knew that AD FS users would need guidance on converting from using their NetID—a university username—to a sign-in address, or User Principal Name (UPN).

Geigner points out that given an option, end users will avoid control mechanisms. “We have to be intentional about the user experience,” he insists. “We want to talk to every group to understand their feelings about what works and what could be better.” Adds Gengelbach, “Our challenge now is understanding the devices people are using, so we can further streamline the experience.”

Another lesson learned was when Conditional Access policies take effect, they invalidate currently authenticated sessions. Since U. of I. had implemented conditional access policies, some university users received multiple re-authentication or multifactor authentication requests at the cutover time.

The brief inconvenience opened greater opportunities to educate the campus. The Tech Services team reassured users and provided focused communications to help them resolve any issues. “The change sparked a lot of conversations,” says Geigner. “It was an opportunity to familiarize people with the change and show them how their experience ultimately improved. We’re going to continue to activate features like role-based access control and build on what we’ve started with Azure AD.”

The Azure AD rollout brought other benefits. “By consolidating our identity system to Azure AD, we’re able to maximize the efforts of our cybersecurity team, processes, and tooling,” says Domeyer. “We’ve made a future-oriented investment, and we’re very excited about what we can achieve in the very near future.”

The team looks forward to continued collaboration with the university community. “Our Azure AD rollout is not just about getting the controls that we need. It’s also about providing a pleasant experience for everyone, whether they bring their own devices or have specific system requirements,” concludes Geigner. “Azure AD is part of the unified ecosystem we’re building that maximizes safety and user experience together.”

Find out more about University of Illinois Urbana-Champaign on Twitter, Facebook, and LinkedIn.