DECISION: OktaHub access to HRS/SFS/Workday, SIS and PersonHub Data
EDGC Decision Date: April 22, 2024
Decision: OktaHub access to HRS/SFS/Workday, SIS and PersonHub Data
What is the problem? Why is a decision needed?
Okta is an Identity and Access management tool implemented at the Universities of Wisconsin. The tool combines Okta Spokes deployed at the University level in Phase 1 as an opt-in implementation with Okta Hub deployed at the enterprise level in Phase 2. Okta Hub requires information on all users (faculty, staff, students, POI, etc) who have or will have an active NetID associated with the person. The sources for the identity data needed for OktaHub come from the HR system for employees (HRS/Workday) and the University SIS for Students. OktaHub requires an efficient and effective way to integrate all identity related data across the Universities.
What decision is recommended?
HRS/SFS, Workday, and SIS through PersonHub data feeds are recommended as the source for the identity data needed for OktaHub. The PersonHub data feeds combine HR system person data for employees (HRS/Workday) and the University SIS person data to provide two perspectives on the Person information. The first is PersonHub creates a common identifier across all Universities for a Person called PVI. The PVI provides a way to match a single person with their different identities across Universities (e.g. one person may be faculty at Whitewater, student at Stevens Point and employee at Platteville). The second perspective is information on the person as the University sees the person with their associated login, email and other personal information. Since each identity needs both the combined enterprise PVI and individual University identity to gain access to applications, the PersonHub data feed along with the data coming into PersonHub that retains the campuses identity is the best choice for the data in OktaHub.
A more detailed diagram is available in Appendix 1.
Who developed the recommendation?
This recommendation was developed by the UW System’s OktaHub team and Enterprise Architecture team.
Who was consulted in the development of the recommendation?
Members of UW-Madison’s PersonHub teams and UW System’s Enterprise Analytics program reviewed and contributed to the recommendation document. Additionally, ATP functional and security teams were consulted on issues related to the use of OktaHub and security models for EAP.
Appendix 1 – Technical Diagram
Data will be pushed to the OKTA hub utilizing Otka’s “Anything-as-a-Source (XaaS) api end points. As data changes it needs to be pushed to Okta in a near real time fashion. Okta will be in production prior to ATP go live and needs to support both Workday and HRS data. All user populations including Students are included in the OKTA feed. Okta will use campus provided EPPN (EduPersonPrincipleName) as it anchor and primary identifier. Okta co-exists with existing federated IAM processes. OKTA will rely on Person Hub Master Data Management (MDM) services to maintain linkage between EPPN and PVI. The main principle for sourcing data for the hub is that we pull it as close as possible from the source systems. Because of the varied populations these data sources have an order of precedence. Employee data will be sourced from HRS, and then Workday post go-live. All other data will be sourced from the campus SIS that is providing it.
Appendix 2 – Proposed List of Initial Use Cases OktaHub
Use Case | Allow access to datasets in EAP via Tableau or Redshift |
Description | Tableau access to dashboards will be granted automatically based on the user access roles in Workday. Information integrated from Workday into OktaHub will be matched with PersonHub data to accomplish the automated access. |
Use Case | Allow access to tools or applications related to a course |
Description | Course level access to a tool can be provisioned and deprovisioned based on the student/course enrollment information stored in OktaHub |
Appendix 3 –Proposed List of Data Elements Required in OktaHub
Data Required in Okta | Source for Data | ||||
Display Name | Variable Name | Person Hub
(Best Match) |
Person Hub (SIS aggregated data) | HRS / SFS / Workday | |
Username (EPPN) | login | Campus provided Login | |||
Preferred email | preferredemail | Used, when the domain of the email matches the EPPN domain | Used when best match does match login domain | ||
PVI | pvi | X | |||
Employee number | employeeNumber | X | |||
Student Number | studentNumber | X | |||
Library Card Number | cardidnumer | X | |||
Preferred First Name | preferredFirstName | Additional Source If other sources not available | Non-Worker Population | Worker Population (HRS / Worker) | |
Preferred Last Name | preferredLastName | Additional Source if other sources not available | Non-Worker Population
|
Worker Population (HRS / Worker) | |
Preferred Middle Name | preferedMiddleName | Additional Source if other sources not available | Non-Worker Population | Worker Population (HRS / Worker) | |
Pronouns | pronouns | Additional Source if other sources not available | Non-Work Population | Worker Population (HRS / Worker) | |
Legal First Name | legalfirstname | Additional Source
|
Non-Worker Population | Worker Population (HRS / Worker) | |
Legal Last Name | legallastname | Additional Source
|
Non-Worker Population | Worker Population (HRS / Worker) | |
Legal Middle Name | legalmiddlename | Additional Source
|
Non-Worker Population
|
Worker Population (HRS / Worker)
|
|
Honorific suffix | honorificSuffix | Additional Source | Non-Worker Population | Worker Population (HRS / Worker) | |
Title | title | Additional Source | Non-Worker Population | Worker Population (HRS / Worker) | |
Display name | displayName | Additional Source | Non-Worker Population | Worker Population (HRS / Worker) | |
Mobile phone | mobilePhone | Additional Source | Non-Worker Population | Worker Population (HRS / Worker) | |
Primary phone | primaryPhone | Additional Source | Non-Worker Population | Worker Population (HRS / Worker) | |
Mailing Street Address | Additional Source | Non-Worker Population | Worker Population (HRS / Worker) | ||
Mailing Street Address 2 | Additional Source | Non-Worker Population | Worker Population (HRS / Worker) | ||
|
Additional Source | Non-Worker Population | Worker Population (HRS / Worker) | ||
Mailing State | Additional Source | Non-Worker Population | Worker Population (HRS / Worker) | ||
Mailing Postal Address | Additional Source | Non-Worker Population | Worker Population (HRS / Worker) | ||
Country code | countryCode | Worker Office Location (HRS / WD) | |||
User type | userType | SIS | |||
Job Information | jobInfo | WorkDay Appointment Data | |||
Job Info (Legacy HRS) | jobInfoLegacy | HRS Appointment Data | |||
HRS Roles (Legacy) | hrsroles | HRS Admin User Roles | |||
SFS Roles(Legacy) | sfsroles | SFS Admin User Roles | |||
WD Roles/Domains | wdroles | Workday Admin User Roles/Domains |
Data from crosswalk table in PersonHub used to match PVI with EPPN |
PVI |
EPPN |
Need this data directly from the SIS feeds to PersonHub to derive the correct data in Okta |
IAA_IFC.UW_IAA_STG_SOURCE_PERSON_TBL |
SESSION_ID |
SEQ_NUM |
LOG_TYPE |
SOURCE_CODE |
GENDER |
PRIVACY_FLAG |
DECEASED_FLAG |
ERROR_CODE |
CREATE_DATETIME |
INSERT_DATETIME |
IAA_IFC.UW_IAA_STG_STUDENT_ROLES_TBL |
SESSION_ID |
SEQ_NUM |
LOG_TYPE |
SOURCE_KEY_VALUE |
SOURCE_CODE |
STUDENT_ROLE_ID |
STATUS_BEGIN_DATETIME |
STATUS_END_DATETIME |
STATUS_CALENDAR_UNIT_DESCR |
STUDENT_STATUS |
FULL_PART_INDICATOR |
STUDENT_MAJOR |
STUDENT_CLASSIFICATION |
STUDENT_COLLEGE |
INSTITUTION_CDR_CODE |
ERROR_CODE |
CREATE_DATETIME |
INSERT_DATETIME |
IAA_IFC.UW_IAA_STG_CONTACT_TBL |
SESSION_ID |
SEQ_NUM |
LOG_TYPE |
SOURCE_KEY_VALUE |
SOURCE_CODE |
CONTACT_TYPE |
CONTACT_ROLE_ID |
SUPPLEMENTAL_SOURCE_CODE |
EMAIL_ADDRESS |
PHONE_NUM |
PHONE_EXT |
ADDR_LINE1 |
ADDR_LINE2 |
ADDR_LINE3 |
ADDR_LINE4 |
CITY |
STATE |
COUNTRY |
ZIP |
ERROR_CODE |
CREATE_DATETIME |
INSERT_DATETIME |