CityU: Untangling legacy systems through a unified identity portal
of all CityU apps and services linked in less than a year
apps and services unified across legacy, on-prem and cloud
active users successfully moved to Okta-enabled Single Sign-On
- A legacy of mixed logins
- Bringing it all together
- A new portal experience
- Fast road to unification
- The future of credentials
City University of Hong Kong (CityU) faced a legacy of disparate logins and identities across many different systems for students, staff and alumni. Every user had to manage multiple logins for different purposes.
CityU needed to find a way to unify all these separate applications and services under a Single Sign-On platform and found Okta’s solution provided the most flexible and future-proof way to achieve the objective.
Using Okta Single Sign-On, MFA and API Access Management, CityU and its partner Master Concept was able to quickly concept and implement a new user portal that supports legacy, on-prem and cloud applications and services across both desktop and mobile platforms.
Okta identity tools have enabled single sign-on access to 90% of all apps and services used by CityU within less than a year. The new unified identity system has also enabled a complete life cycle for students, staff and alumni to move seamlessly through their university journey under a single identity.
While CityU continues to move toward 100% integration of its apps and services into the Okta-powered user portal, the organisation is exploring how its new identity systems can expand into multi-institutional credentials to support wider systems of trust and assurance.
Choosing Okta to deliver us identity as a service could save us a lot of effort in building many business continuity plans and disaster recovery plans because Okta cloud achieved over 99.99% availability in many consecutive years.
Joe Lee, Assistant IT Manager (IAM), City University Hong Kong
Unifying identity across multiple apps and services
City University of Hong Kong is located at the heart of Hong Kong. It’s young, but it has built a strong reputation as a leading centre for research and innovation on the world stage, ranking #4 on a global list of the “Top 50 under 50” universities.
In its fast-growing and wide-ranging academic setting, technology solutions are often added in a piecemeal fashion to solve specific problems in different departments as and when required. But over time, these disparate systems can lead to poor integration and little flexibility across the institution as a whole.
This was a problem that Joe Lee, Assistant IT Manager (IAM) at City University of Hong Kong (CityU), wanted to solve. While the various computing environments were essential to different departments, the demands on 26,000 full-time students and 4,000 staff to manage multiple login credentials for different systems around the university had become too much.
“There are so many user roles at the university,” says Lee. “Researchers, faculties, students, alumni, and even external contractors. The challenge for us is that they could have different entitlements in different systems, which would result in different accounts to remember for access to these applications, which was not an ideal user experience.”
From multiple Active Directory tenancies to Shibboleth SAML and Central Authentication Systems, across over 200 legacy, on-prem and cloud applications and services, CityU struggled to find the best way to unify the governance of its user identity systems into something more effective for user and IT management.
So the mission began to unify identity and access. And CityU turned to Okta to deliver the solution.
Seamless access with Single Sign-On
CityU worked with its technical partner, Master Concept, to implement an Okta-powered CIAM solution that would deliver a single sign-on experience to simplify and improve the overall experience for all staff, students, and alumni of the university.
“Master Concept was very willing to explore and understand our existing infrastructure and technologies and find us the best solution available, but co-developed by our team as well. This is the partnership we have been looking for,” says Lee. “Whether built from deep experience or drawn from the Okta knowledge base, we’ve aimed to follow best practices and not reinvent the wheel.”
In deciding to make Okta the CityU Workforce & Customer IAM solution provider, Lee says Okta’s leadership in the Gartner Magic Quadrant was critical, closely followed by its support for the most second factor solutions, whether the likes of Yubico or new passwordless solutions.
“We want to ensure that what we’ve done right now will enable us to future-proof this investment,” says Lee.
Lee emphasises that the university IT management wants the team to hone its expertise in its core function: providing tech services to the university. Access and identity management is its own area of expertise that can be outsourced to a partner like Okta. This ensures CityU gets the best of both worlds - with the internal team focused on providing top-notch computing services on site, while identity and access tools are managed by external experts who operate according to industry best practice standards.
“Choosing Okta to deliver us identity as a service could save us a lot of effort in building many business continuity plans and disaster recovery plans because we expect Okta cloud will be highly available and resilient.”
Deep identity integration through Okta APIs
From the beginning of the journey in early 2020, Lee, Master Concept and Okta worked closely together to achieve a result that now unifies identity across 90% of the university’s applications and digital services.
“The proof of concept was really quick, just a few weeks,” says Lee. “The whole process went through very quickly and the deployment wasn’t as difficult as we had expected.”
Timing was also critical in performing rollout to various applications. This is so that it wouldn’t interfere with important periods of the university year, whether it be enrolment windows or crucial exam periods when uninterrupted access would be important to all staff and students.
To ensure the smoothest possible experience for all users, CityU and Master Concept used Okta APIs to build a unified app portal. This shows each user all the university applications that have been integrated into the Okta-powered identity platform to date. A single unified profile was also built for every user in the university ecosystem. Every individual can have a life cycle as a member of the university faculty, from student to staff or alumni.
“We built bespoke profile pages in our Enterprise Resource Planning in the past that we are now migrating to Okta,” says Lee. “These are very lightweight applications built in Okta versions because we leverage the widget API and don’t need to duplicate effort to do password resets or changes in our ERP anymore.”
The new identity capabilities also extend easily to the CityU mobile applications.
“Okta provided the SDK for us to do authentications and integrations into our mobile app, and we could do our own multi-factor authentication apps,” saysLee. “All the tools and APIs available to us could help us build our applications faster or to maintain our applications in a more secure way.”
Visibility and support benefits
With a new Okta-enabled Single Sign-On system in place, one of the added benefits of the unified identity platform for CityU is a greater sense of visibility around user access and identity across all university platforms.
“In the past, users did not know how their identity accounts had been used in the past few months and now, they have that visibility,” says Lee. “They are more conscious about account security compared to in the past because they couldn’t watch the logs.”
“Our service desk now has visibility of user logins, so they know whether they are successfully logged in, their Wi-Fi connectivity status, or if there is an account authentication issue. They can now provide more accurate and more responsive solutions.”
The future of credentials
With most of the work now completed on CityU’s identity unification project, Lee is exploring future plans for where identity and credential management can go in the university sector.
“We have been working with some other universities to build a blockchain-based credentials platform,” says Lee. “We plan to ensure the level of trust in identity can then become a trusted credential that can work across other institutions. In the long-run, credentials and identity is not just a challenge for institutions like us. It’s a challenge for every single organisation as well, and we hope to be able to solve that with Okta.”
About City University of Hong Kong
City University of Hong Kong (CityU) is the nation’s leading university and a global top ranking academic institution, catering to students from across the globe with a great tradition in research and industry partnership. CityU boasts staff from 35 countries around the world and ranks #4 on a “Top 50 under 50” global ranking in 2021.