An Identity Framework for Higher Education Systems

Keeping campuses connected

Colleges and universities have an opportunity to make learning more accessible than ever—but first, they must solve a technology problem. Many campuses use outdated legacy identity systems with sprawling, open-source software. As a consequence, these institutions experience a great deal of technology debt, making a transition towards modern systems disruptive and costly. It’s time to change this approach: the results must justify the expense.

For educational institutions, seamless connections lead to better learning. Cloud apps, like enterprise email and productivity tools as well as learning management systems, provide essential support to students, alumni, and staff. By building networks that allow deep partner connections, enable seamless user access, and support the latest technologies, schools will be equipped to improve their operations and educational delivery.

In higher education, many institutions have multiple affiliated entities connected within a common organizational framework—community college systems, multi-campus universities, and medical or health sciences centers are just
a few examples—where a number of independent campuses make their own decisions regarding technology and IT investments. While these campuses operate autonomously, the umbrella organization may use a shared services model to save costs. This means offering the same technology and platforms across all entities, which requires a delicate balance of solutions that easily integrate.

How can higher education institutions participate in a shared identity management framework without relinquishing their independence?

Introducing Okta’s hub and spoke model

Operating within sprawling networks of institutions and applications, higher education needs systems that support identity federation, close collaboration, and sharing of information and resources. Okta’s hub and spoke model can help campuses integrate together under one architecture. This means campuses are empowered to retain access to their distinct systems while also sharing access to cloud and legacy apps, directories, databases, and servers.

Okta Hub and Spoke Architecture Model

The hub and the spoke model works like this:

The hub: One system using Okta that provides directory, authentication, and authorization services to the spokes. Hubs act as identity providers by using common identity standards, such as SAML, SCIM, and OpenID Connect. They integrate with the organization’s applications to provide easy, secure access and provisioning capabilities across the network.

The spoke: Campuses using Okta that provide directory, authentication, and authorization services locally to their students, staff, and faculty. Spokes use Okta’s Universal Directory to store user profile and group information. By using Okta’s Org2Org connector, spokes may share user profiles with the hub or other spokes and enable Single Sign-on (SSO) and Multi-Factor Authentication services to work across the system’s shared applications.

When educational institutions adopt the hub and spoke model, they gain the following benefits:


Far removed from open source and locked-in solutions, admins are enabled to set up and unite different campuses under one roof. Maintaining this structure with a cloud service requires less day-to-day upkeep or manual code.


Education users juggle a sprawl of login credentials for different faculties and app portals. In this model, users in connected campuses can access resources from across the system with a single identity and credential set. This enables users across different campuses to collaborate, share information, and partner on other initiatives.


Legacy systems give threat actors more windows of opportunity. By cutting down on credentials, colleges and universities become less vulnerable to phishing and account takeover. Admins can also monitor activity coming through the hub and spokes—proactively responding to any unusual events or traffic.

Shared services, full control

With a hub and spoke architecture, campuses keep control. They are empowered to implement the apps and services that a system office issues while managing their user repositories and technology investments. Using the Okta Identity Cloud, education system offices (i.e., hubs) are better equipped to deliver apps and platform services, both on-prem and in the cloud, without disrupting campus decision-making.

Each campus may continue to use and manage their Active Directory repository. Doing this, they provide access to their apps for other spokes in the system and enable access for their users to apps that the hub provides. Users at each campus are able to access all of the shared college or university’s applications—and thanks to SSO, they do so in a seamless and secure manner. Admins at the system office have an overhead view of access permissions and can grant access to downstream apps and user repositories as needed.

The diagram below shows the interaction between campuses and a system office:

Large System Offices with Multiple Campuses

Strong networks for each campus

Campuses are strong alone, but better together. The hub and spoke model helps colleges and universities deliver convenient, secure access to technologies across the system, while campuses continue to manage their directories and investments. When staff and students collaborate and access shared resources with ease, higher education shines.

For help bringing a hub and spoke model to your organization, contact Okta today.

About Okta

Okta is the leading independent provider of identity for the enterprise. The Okta Identity Cloud enables organizations to securely connect
the right people to the right technologies at the right time. With over 6,000 pre-built integrations to applications and infrastructure providers, Okta customers can easily and securely use the best technologies for their business.

Over 6,100 organizations, including 20th Century Fox, JetBlue, Nordstrom, Slack, Teach for America and Twilio, trust Okta to help protect the identities of their workforces and customers.

Learn more at