Identity Automation & CUES Project: Feedback Submission
We welcome your questions, comments, and suggestions regarding the Identity Automation & CUES Project. Your feedback is essential for us to improve and ensure the project effectively meets your needs. Please use this form to share your thoughts. Thank you for your valuable input!
CUES: Questions/Comments/Suggestions
What is RapidIdentity?
RapidIdentity is an identity and access management (IAM) platform designed to streamline user management, enhance security, and improve operational efficiency. It helps organizations manage user identities, automate access provisioning, and integrate with various systems and applications.
Accessibility
The student login options presented for young non-readers included scanning a QR code or selecting an image. Are there alternative login methods that would be more accessible for young learners who are blind or visually impaired?"
We recommend using a simple password, such as one containing only numbers. Pictographs are accessible and can be read by screen readers.
Administration
Will there be a dashboard to enter data and push it in Munis and/or IC?
In many instances, we push data back into Munis and IC, specifically email addresses. We haven't reached that part of the project yet, but it is not unthinkable for this to be fully automated.
Can identities be customized? Will districts have any customizable fields? Example: Google Districts can only use FirstName LastName OR LastName, FirstName - Cannot use LastName, FirstName – District or Title Script to append last name – i.e., Woods (Technology Dept)
Some things can be customized on a district level, and some things will be set as standard across all districts. We do not have a list of those things yet, and we will utilize feedback from districts to help with those decisions.
Will there be an SSO to replace Clever?
We do have an SSO Portal that can replace Clever. The process of rolling that out is still being finalized. Integration with Clever is an anticipated deliverable.
Looking at when staff is offboarded, are we looking at and active / inactive field to auto disable account from Munis verses end date? End Date may cause last check to not be processed? (conversation with another district).
This is being evaluated right now and will be sent out for validation this week.
Device Authentication
From the regional meeting: Melissa mentioned during a call that JAMF will be used for MacOS devices. What does this look like? Is there a MacOS agent, or will JAMF need to set the password on the MacOS device for the user?
We have an integration with JAMF. If you have JAMF, we will just need to set up the connectors, and then the RapidIdentity screen will be used to login to the Mac
Enablement/Support
I notice on linked in IA has 90 employees. Only 13% work in support. This comes out to be 11 full-time techs. How will IA be able to support districts with onboarding during the process with such a small quantity of support? Will we be able to utilize their support or will we rely on the KETS help desk?
IA’s enablement team will work closely with district stakeholders to ensure a smooth transition, offering guidance, resources, and training to address any challenges. We aim to empower the district with the knowledge and tools necessary for successful adoption and long-term sustainability. We will remain available for ongoing assistance, helping to troubleshoot issues, optimize processes, and ensure the implementation meets the district's needs and objectives before transitioning the district to support and customer success.
GO! View Portal
Can we make apps available in the IdentityPortal by school or even specific student groups within a school (e.g., by specific course/section, EL students/staff only, 3rd grade only)? Many of our apps are purchased by a handful of schools or even a small number of licenses within a school instead of district-wide.
Yes, they can be filtered down to user attributes, including grade levels and schools, as long as we are consuming the data from IC.
Naming (Preferred Names, Renames)
The student's legal name is Samantha, but she would like to be called Steven. Parents call to have this information updated. How would this be handled in RapidIdentity?
Preferred names can be handled; we will work with KDE to discuss per-district configuration on preferred name handling. (We’ll revisit your questions as things progress to offer a more comprehensive answer).
How would we handle staff accounts with email addresses if they would like a nickname instead of their legal name? For example, a staff member whose legal name is Joshua Smith would like to be called Josh. How will email address generation work?
This option can be configured on a per-district basis, which we will discuss with KDE. (We’ll revisit your questions as things progress to offer a more comprehensive answer.)
Offboarding
Will there be an option for email accounts to be available past their last employment/enrollment date? For example, 30 days for staff and 120 days for seniors.
Depending on the design and implementation of the state and district tenant. There will be an option.
For accounts that have an end date, when would these accounts be deleted versus inactivated?
We expect some sort of per-district configuration around a disable for x period of days then delete if not reactivated.
Onboarding
How fast will password sync occur when user makes the change in Rapid Identity?
The initial sync will be within minutes; some systems, such as AD, will have an additional internal replication delay.
Operational
What does RapidIdentity look like?
The current plan is to have an “all-day” strand at the KySTE Fall event specific to CUES with Identity Automation in attendance. While the agenda is not finalized yet, the intent would be to conduct a full demonstration of product features, architecture, and integration (sandbox).
Examples:
Login Screens:
Applications Go! View:
Does RapidIdentity have a LaunchPad like ClassLink LaunchPad or Clever Portal?
Yes, RapidIdentity does have a portal. The RapidIdentity portal is designed to give users a centralized location to manage their identities and access various applications. It typically provides features like:
Single Sign-On (SSO): Users can log in once and access multiple applications without needing to re-enter credentials.
User Management: Admins can manage user accounts, permissions, and roles from within the portal.
Self-Service: Users can perform tasks like password resets, profile updates, and account management.
The portal's design and functionality can vary depending on the implementation and the specific needs of the organization using RapidIdentity.
Does RapidIdentity have a rostering solution like ClassLink rostering?
RapidIdentity Studio Rostering is a component within the RapidIdentity suite designed to manage and automate educational institutions' rostering processes.
RapidIdentity Studio Rostering provides a streamlined solution for managing student and staff data, automating the creation and maintenance of user accounts, and ensuring that rosters are accurately synchronized across various educational applications and systems.
Key Features:
Automated Data Synchronization:
Syncs user data, including student and staff information, across multiple systems and applications, reducing manual data entry and errors.
Integration with SIS:
Integrates with Student Information Systems (SIS) to automatically import and update rosters based on the latest enrollment data.
Role and Group Management:
Automatically assigns roles, permissions, and groups based on predefined rules or data from SIS, ensuring that users have appropriate access to applications and resources.
Data Import and Export:
Supports importing and exporting data in various formats, making it easier to integrate with other systems or perform data migrations.
Customizable Roster Management:
Provides tools for customizing roster data and managing exceptions, allowing for flexible handling of unique cases or specific institutional needs.
How fast will provisioning occur once someone has been put into the "source of truth? How often will provisioning occur? Every 15 minutes? Every hour? Once a day?
Target systems can be implemented as soon as they're created in RI based on the schedule we set. The schedule can be set as frequently as needed, depending on how the state and district are implemented.
If RapidIdentity is the IDP, will we be able to customize the fields we need filled? We know we can do this with Infinite Campus.
RapidIdentity is a fully customizable IDP that allows for various attributes to be sent for each application.
One of the big jobs we have to do early in each school year is updating the pictures of students in IC and other applications like our LMS. Will there be a way to connect CUES to school picture companies like Lifetouch to automate picture updates?
There are possibilities, but this would be a per-district implementation outside of the scope of phase 1.
Password Management
Since self service password reset is part of the product, is there an option to send password expiration emails to users as their password is within x days of expiration?
An authentication policy can be crafted to warn users that their RI passwords will expire in X days.
Readiness
What things do I need to do to start preparing for this project?
More details will be provided soon, but data cleanup will definitely need to be addressed, especially concerning staff. Where are your staff accounts located? Are they in Munis, IC, or both? Do you have old, inactive accounts that need to be cleaned up?
Service Accounts
How should "service accounts" be handled? Are these accounts sponsored (without an expiration or with)? Or should we use Azure/Google/AD to create accounts and manage them outside of RI?
Service accounts are not in Phase 1 scope.
Sponsorship
How will RI impact vendor VPN access? Will we leverage sponsored account with VPN group access?
This specific use case would have to be investigated.
Does Rapid Identity have a way to connect to an NAC (network access control - IE Extreme NAC / rgNET / Fortinet NAC ) for identity? This would be used for Guest registration for personal devices but allow the Lightspeed content filter to properly identify the end-user.
This would not be in the scope of Phase 1, but it could be investigated on a district basis.
How about Homeschool students that want to attend an ATC site? These students may or may not be listed in IC.
Homeschool students will need to be designed for.
How does this affect accounts for users that are not listed in Munis since they are not paid?
Adults who traditionally have not been in Munis but need some level of access will either have to be input into Munis or have a sponsored account created for them.
Unique Student Use Cases
I currently have an issue where 15 or so of my students who are enrolled in my SIS are part of an educational academy in another district. This requires them to have that district’s email domain. Currently, I have a script that I run nightly that will overwrite the email addresses for those students so they are able to access everything they need in the academy. Are there any processes currently in place to handle this type of situation, or is this something I will need to continue to manage as I currently am?
This is a use case that will need some clarification and investigation.
How to handle Homeschool students who are going to the Area Technology Center. Some homeschooled students are inactive in IC, and some are not.
This is a use case that will need some clarification and investigation.
We auto-provision student accounts. We have a library of passwords that is age based for complexity level. Once the password is assigned to a user it cannot be assigned to another user. The district maintains a database of student passwords to distribute to students, to troubleshoot issues a student may be experiencing as well as investigate student use. We do not allow students to change their password. Does Rapid Identity have a similar capability?
This specific use case would have to be investigated.