Join InCommon

30
May.
2025

IAM Online Community Speaker Spotlight

Transforming Access Chaos: How Three Universities Are Solving Authorization Complexities with Innovative IAM Approaches

Share

By Jean Chorazyczewski, InCommon Academy Director

Estimated reading time: 7 minutes

“Who can access what and why?” This simple question costs higher education institutions thousands of staff hours, creates endless frustration for users, and remains one of the most persistent operational headaches across campuses. Behind the scenes of every university’s digital ecosystem is a complex web of access decisions that directly impact daily operations, compliance requirements, and user experience.

The Authorization Problem Everyone Feels

Think about the last time someone at your institution needed access to a specialized resource. How many emails, approvals, and manual checks were required? How long did it take? And on leaving the university, did that person’s access get properly revoked? Was it revoked immediately? 

The reality is this: while authentication (proving who users are) has been generally solved through systems like single sign-on, authorization (determining what they should access) is broken up across hundreds of individual applications. Each service ends up implementing its own authorization rules, creating an unsustainable patchwork that IT departments struggle to manage.

This leads to very real daily challenges:

  • The “Ghost Access” Problem: When faculty, staff, or students leave, their access rights often persist for weeks or months because deprovisioning happens at the application level rather than through Central IT. 
  • Training Verification Gridlock: Staff manually check and re-check training certifications before granting access to specialized resources like research environments or sensitive data repositories, creating bottlenecks that delay legitimate work.
  • License Management Burden: Without centralized authorization, enforcing licensing to applications becomes a manual, error-prone process that either wastes money on unused licenses or creates access conflicts.
  • Departmental Request Overwhelm: IT teams field endless access requests that require multiple approvals and manual configuration, taking away resources from more strategic initiatives.

Three Institutions Leading the Way

The IAM Online webinar on Wednesday, June 18, at 1 p.m. ET entitled “Bridging the Gap: Integrating Authentication with Authorization to Solve Critical Access Challenges in Higher Ed” showcases how three forward-thinking institutions—University of Pennsylvania, Harvard University, and University of Alaska—have tackled these everyday challenges by implementing “front door authorization” approaches. By moving authorization decisions to the entry point of access rather than leaving them to individual applications, these universities have transformed their access management from a constant struggle into a streamlined, policy-driven process. The webinar will showcase effective solutions:

  • University of Pennsylvania’s Front-Door License Management – Penn has revolutionized license management with a “front door” approach that validates access before users reach applications. Their Grouper-based system blocks unauthorized attempts with customized error pages that guide users to self-service options, dramatically reducing help desk tickets.
  • Harvard’s Frictionless Authorization Framework – Harvard has centralized authorization decisions through a Grouper-powered “front door” system, ensuring that only users with current Harvard affiliations can access resources. This approach provides seamless access to the right tools while removing authorization burdens from individual applications
  • University of Alaska’s Real-Time Training Verification – U Alaska integrates certification tracking directly with Shibboleth authentication, stopping sign-in attempts at the identity provider level if training requirements aren’t met. Their system even enables instant access provisioning when training is completed, eliminating manual verification entirely.

Speakers

Chris Hyzer
Chris Hyzer
Application Architect
University of Pennsylvania
Alpha Sanneh
Alpha Sanneh
Associate Director
Identity and Access Management
Harvard University
David Bantz
David Bantz
Identity and Access Management
University of Alaska
Steven Mak
Steven Mak
IT Architect
University of Pennsylvania
Erin Rankin
Erin Rankin
Senior Software Engineer
Harvard University
Orlandis Brown
Orlandis Brown
Identity and Access Management
University of Alaska

Q&A

Ahead of the webinar, our speakers offer these valuable insights into the challenges and strategies for navigating authorization at their institutions:

What was one big challenge your institution faced with authorization management before you implemented your current solution? How did you know it was time to make a change?


(Chris Hyzer, Penn): I’ve been interested in this since hearing (over 10 years ago at a TechEx conference) about a California school doing a similar thing. A few years back, we learned about Harvard’s success with it and kicked off our own project. We took our time carefully deciding scope, the number of reference groups and their population, a gradual roll-out, and prioritizing “gold-tier” apps.

(Harvard): There was an assumption that when users left the University, their access was automatically removed, so application owners were inconsistent in taking action to proactively remove access. This left some terminated employees and other departed affiliates to access sometimes sensitive systems and data.

(U Alaska): Departments and administrators with responsibility for compliance with training and certification requirements could not readily enforce, report, or document compliance; a strategic initiative mandated development of tools to do so across the entire institution.

How has your approach impacted end users in terms of experience, administrative efficiency, or security?


(Penn): We’ve not seen any negative issues. It takes time to explain the new function to service teams and carefully pick the right group to use.

(Harvard): During the initial rollout of authorization filters for applications integrated with our SSO system, there was friction when an application owner misjudged the populations accessing their app and applied overly restrictive filters. This resulted in blocked access for legitimate users. We partnered with application teams to better understand their user populations and refine their filters to enable the right access for the right populations.

For institutions that are just starting to explore better authorization control, what advice would you give them? Are there any critical first steps or common pitfalls to avoid?


(Penn): Try to get a mandate from the top since it is difficult and time consuming to motivate service teams.


(Harvard): A mandate from the top is key. We had been offering authorization filters as a service for several years but it wasn’t until our ISDP team instituted a requirement for all applications to have a filter that we got traction with application teams.


(U Alaska): Stop ignoring or offloading authorization to services or to “provisioning” scripts. Start building the infrastructure for “front door” authorization in your IAM infrastructure.

Looking ahead, how do you see authorization management evolving? Are there any new challenges you anticipate or enhancements you plan to implement?


(Penn): Self-service licensing use cases require real-time entitlements from Grouper to Shibboleth, and we are excited to roll out a solution for that in the coming weeks.


(Harvard): We are migrating to Grouper v5 and plan to leverage ABAC groups to base access decisions on user attributes, streamlining both group management and policy enforcement.


(U Alaska): We’ve had a mantra for many years that identity providers assert identity and attributes, but authorization is the distributed responsibility of services; that has not been deployed at scale. The deployments described today provide an alternative that preserves distributed authority but is represented and managed centrally.

Join Us for IAM Online

Interested in learning more about how these institutions are handling complex authorization challenges? Don’t miss our upcoming webinar, “Bridging the Gap: Integrating Authentication with Authorization to Solve Critical Access Challenges in Higher Ed,” on Wednesday, June 18, at 1 p.m. ET.

Attendees will gain practical insights into how these institutions transformed their IAM systems from basic authentication gateways to comprehensive authorization engines. Whether your organization needs training-based qualification verification or robust group-based access control, this session will provide valuable implementation strategies, lessons learned, and architectural blueprints to address similar challenges.


REGISTER for this Webinar


Please note: We’ve introduced a new, improved registration process for our webinars. You’ll now register individually for each webinar, which allows us to deliver content that’s even more aligned with what you want to see. Get ready for more engaging, community-driven webinars designed with you in mind!

Do you have ideas for IAM Webinars you would like to attend? Fill out this form and let us know what you’d like to see.


© Copyright 2025 InCommon.

Site Design by FIREANT STUDIO