EDGC DECISION: OktaHub access to HRS/SFS/Workday, SIS and PersonHub Data

DECISION: OktaHub access to HRS/SFS/Workday, SIS and PersonHub Data

EDGC Decision Date: April 22, 2024

Decision: OktaHub access to HRS/SFS/Workday, SIS and PersonHub Data

What is the problem? Why is a decision needed?

Okta is an Identity and Access management tool implemented at the Universities of Wisconsin. The tool combines Okta Spokes deployed at the University level in Phase 1 as an opt-in implementation with Okta Hub deployed at the enterprise level in Phase 2. Okta Hub requires information on all users (faculty, staff, students, POI, etc) who have or will have an active NetID associated with the person. The sources for the identity data needed for OktaHub come from the HR system for employees (HRS/Workday) and the University SIS for Students. OktaHub requires an efficient and effective way to integrate all identity related data across the Universities.

What decision is recommended?

HRS/SFS, Workday, and SIS through PersonHub data feeds are recommended as the source for the identity data needed for OktaHub. The PersonHub data feeds combine HR system person data for employees (HRS/Workday) and the University SIS person data to provide two perspectives on the Person information. The first is PersonHub creates a common identifier across all Universities for a Person called PVI. The PVI provides a way to match a single person with their different identities across Universities (e.g. one person may be faculty at Whitewater, student at Stevens Point and employee at Platteville). The second perspective is information on the person as the University sees the person with their associated login, email and other personal information. Since each identity needs both the combined enterprise PVI and individual University identity to gain access to applications, the PersonHub data feed along with the data coming into PersonHub that retains the campuses identity is the best choice for the data in OktaHub.

A more detailed diagram is available in Appendix 1.

Who developed the recommendation?

This recommendation was developed by the UW System’s OktaHub team and Enterprise Architecture team.

Who was consulted in the development of the recommendation?

Members of UW-Madison’s PersonHub teams and UW System’s Enterprise Analytics program reviewed and contributed to the recommendation document. Additionally, ATP functional and security teams were consulted on issues related to the use of OktaHub and security models for EAP.

Appendix 1 – Technical Diagram

Data will be pushed to the OKTA hub utilizing Otka’s “Anything-as-a-Source (XaaS) api end points.  As data changes it needs to be pushed to Okta in a near real time fashion.  Okta will be in production prior to ATP go live and needs to support both Workday and HRS data.  All user populations including Students are included in the OKTA feed. Okta will use campus provided EPPN (EduPersonPrincipleName) as it anchor and primary identifier.  Okta co-exists with existing federated IAM processes.  OKTA will rely on Person Hub Master Data Management (MDM) services to maintain linkage between EPPN and PVI. The main principle for sourcing data for the hub is that we pull it as close as possible from the source systems. Because of the varied populations these data sources have an order of precedence.  Employee data will be sourced from HRS, and then Workday post go-live.  All other data will be sourced from the campus SIS that is providing it.

Appendix 2 – Proposed List of Initial Use Cases OktaHub

Appendix 3 –Proposed List of Data Elements Required in OktaHub