Do you have direct experience with InCommon and REFEDS expectations?

Yes. We deliver InCommon registration support, attribute release policy design aligned to REFEDS Research and Scholarship category, and Shibboleth IdP stewardship. Deliverables include the metadata, entity attributes, and assurance profile artifacts the federation expects.

Can you align IAM evidence across FERPA and HIPAA simultaneously?

Yes — academic medical centers and large research universities live with both. We engineer evidence-as-code so the same control test produces FERPA-aligned and HIPAA-aligned artifacts. The control families overlap heavily; the evidence pipeline only needs to be built once.

Do you handle both Shibboleth on-prem and commercial IdPs?

Yes. Many institutions run a Shibboleth IdP for research federation alongside a commercial IdP (Okta, Entra) for workforce SSO. We engineer the boundary explicitly and engage with both sides under the same operating model.

How do you handle the academic-calendar-driven access cadence?

Academic identity lifecycle is one of the most distinctive scenarios outside of insurance. Term-aligned role transitions, course-bound access scopes, summer-session gaps, and adjunct turnover require lifecycle patterns engineered around the academic calendar — not a generic JML pattern.

What is a typical engagement timeline for a research university?

8-week diagnostic + reference architecture, then phased build over 6-9 months. The first audit-scope is typically faculty / staff workforce identity; research and student environments follow on the next term boundary. Production-stable by the next academic year.

Industry / HIGHER EDUCATION

Identity that survives the federation handoff.

IAM programs for universities, research institutions, and academic medical centers. FERPA, HIPAA, GLBA, InCommon, and Shibboleth aligned.

Request servicesAll industries

Brutalist industry poster — UNIVERSITY. AT SCALE.

Frameworks aligned

FERPA
HIPAA
GLBA
NIST 800-53
InCommon
REFEDS

Where we deliver

Use cases we have shipped in higher education.

Use case · 01
Student lifecycle from admit to alumni
Identity lifecycle spanning admission, matriculation, graduation, and alumni status. Role transitions engineered around the academic calendar; entitlement reviews aligned to FERPA-protected scopes.
Use case · 02
Faculty + staff lifecycle with appointment cycles
Joiner-mover-leaver flows that account for adjunct appointments, sabbaticals, joint appointments across departments, and emeritus status. The HRIS-driven pattern most other industries use breaks here.
Use case · 03
InCommon federation participation
InCommon SAML federation for research collaboration, library subscriptions, and inter-institutional access. Attribute release policy, entity registration, and metadata hygiene engineered up front.
Use case · 04
Shibboleth + SimpleSAMLphp stewardship
On-prem Shibboleth IdP stewardship for institutions with deep federation investment. Migration plans to commercial IdPs (Okta, Entra) where commercial fit warrants — and continued stewardship where it does not.
Use case · 05
Research data access governance
Access governance for grant-funded research environments, IRB-approved studies, and academic medical center data. 21 CFR Part 11, HIPAA Security Rule, and grant-specific access requirements engineered into policy.
Use case · 06
Privileged access for research computing
Privileged session governance for HPC clusters, research data lakes, and academic medical center clinical systems. Just-in-time elevation engineered around the actual research operational tempo.
Use case · 07
Customer identity for online learning
Customer identity for online learning platforms, alumni portals, and continuing education. Federation patterns and external-user lifecycle wired into the academic identity registry.

Higher Education engagements

The buyer archetypes we have shipped programs for.

We hold NDA on most engagements. Tiers below reflect the buyer archetypes we have shipped programs for. References available on request, after mutual NDA.

TB
Tier-1 US Bank
FFIEC · SOX
CB
Custody Bank
GLBA · FFIEC
FA
Federal Agency
FedRAMP High
SS
State System
StateRAMP
HS
Top-10 Hospital
HIPAA · HITRUST
HP
Health Payer
HIPAA
FP
FinTech Platform
PCI-DSS · SOC 2
AM
Asset Manager
SOX · SOC 2

How we engage

Practices that anchor this industry.

FAQ

Common questions.

Do you have direct experience with InCommon and REFEDS expectations?+
Yes. We deliver InCommon registration support, attribute release policy design aligned to REFEDS Research and Scholarship category, and Shibboleth IdP stewardship. Deliverables include the metadata, entity attributes, and assurance profile artifacts the federation expects.
Can you align IAM evidence across FERPA and HIPAA simultaneously?+
Yes — academic medical centers and large research universities live with both. We engineer evidence-as-code so the same control test produces FERPA-aligned and HIPAA-aligned artifacts. The control families overlap heavily; the evidence pipeline only needs to be built once.
Do you handle both Shibboleth on-prem and commercial IdPs?+
Yes. Many institutions run a Shibboleth IdP for research federation alongside a commercial IdP (Okta, Entra) for workforce SSO. We engineer the boundary explicitly and engage with both sides under the same operating model.
How do you handle the academic-calendar-driven access cadence?+
Academic identity lifecycle is one of the most distinctive scenarios outside of insurance. Term-aligned role transitions, course-bound access scopes, summer-session gaps, and adjunct turnover require lifecycle patterns engineered around the academic calendar — not a generic JML pattern.
What is a typical engagement timeline for a research university?+
8-week diagnostic + reference architecture, then phased build over 6-9 months. The first audit-scope is typically faculty / staff workforce identity; research and student environments follow on the next term boundary. Production-stable by the next academic year.

Talk to us

Ready to scope a higher education engagement?

Same-day reply during business hours. NDA on request before discovery.

Request servicesTalk to a practice lead

Industry / HIGHER EDUCATION

Identity that survives the federation handoff.

IAM programs for universities, research institutions, and academic medical centers. FERPA, HIPAA, GLBA, InCommon, and Shibboleth aligned.

Request servicesAll industries

Frameworks aligned

FERPA
HIPAA
GLBA
NIST 800-53
InCommon
REFEDS

Where we deliver

Use cases we have shipped in higher education.

Use case · 01
Student lifecycle from admit to alumni
Identity lifecycle spanning admission, matriculation, graduation, and alumni status. Role transitions engineered around the academic calendar; entitlement reviews aligned to FERPA-protected scopes.
Use case · 02
Faculty + staff lifecycle with appointment cycles
Joiner-mover-leaver flows that account for adjunct appointments, sabbaticals, joint appointments across departments, and emeritus status. The HRIS-driven pattern most other industries use breaks here.
Use case · 03
InCommon federation participation
InCommon SAML federation for research collaboration, library subscriptions, and inter-institutional access. Attribute release policy, entity registration, and metadata hygiene engineered up front.
Use case · 04
Shibboleth + SimpleSAMLphp stewardship
On-prem Shibboleth IdP stewardship for institutions with deep federation investment. Migration plans to commercial IdPs (Okta, Entra) where commercial fit warrants — and continued stewardship where it does not.
Use case · 05
Research data access governance
Access governance for grant-funded research environments, IRB-approved studies, and academic medical center data. 21 CFR Part 11, HIPAA Security Rule, and grant-specific access requirements engineered into policy.
Use case · 06
Privileged access for research computing
Privileged session governance for HPC clusters, research data lakes, and academic medical center clinical systems. Just-in-time elevation engineered around the actual research operational tempo.
Use case · 07
Customer identity for online learning
Customer identity for online learning platforms, alumni portals, and continuing education. Federation patterns and external-user lifecycle wired into the academic identity registry.

Higher Education engagements

The buyer archetypes we have shipped programs for.

We hold NDA on most engagements. Tiers below reflect the buyer archetypes we have shipped programs for. References available on request, after mutual NDA.

TB
Tier-1 US Bank
FFIEC · SOX
CB
Custody Bank
GLBA · FFIEC
FA
Federal Agency
FedRAMP High
SS
State System
StateRAMP
HS
Top-10 Hospital
HIPAA · HITRUST
HP
Health Payer
HIPAA
FP
FinTech Platform
PCI-DSS · SOC 2
AM
Asset Manager
SOX · SOC 2

How we engage

Practices that anchor this industry.

FAQ

Common questions.

Do you have direct experience with InCommon and REFEDS expectations?+
Yes. We deliver InCommon registration support, attribute release policy design aligned to REFEDS Research and Scholarship category, and Shibboleth IdP stewardship. Deliverables include the metadata, entity attributes, and assurance profile artifacts the federation expects.
Can you align IAM evidence across FERPA and HIPAA simultaneously?+
Yes — academic medical centers and large research universities live with both. We engineer evidence-as-code so the same control test produces FERPA-aligned and HIPAA-aligned artifacts. The control families overlap heavily; the evidence pipeline only needs to be built once.
Do you handle both Shibboleth on-prem and commercial IdPs?+
Yes. Many institutions run a Shibboleth IdP for research federation alongside a commercial IdP (Okta, Entra) for workforce SSO. We engineer the boundary explicitly and engage with both sides under the same operating model.
How do you handle the academic-calendar-driven access cadence?+
Academic identity lifecycle is one of the most distinctive scenarios outside of insurance. Term-aligned role transitions, course-bound access scopes, summer-session gaps, and adjunct turnover require lifecycle patterns engineered around the academic calendar — not a generic JML pattern.
What is a typical engagement timeline for a research university?+
8-week diagnostic + reference architecture, then phased build over 6-9 months. The first audit-scope is typically faculty / staff workforce identity; research and student environments follow on the next term boundary. Production-stable by the next academic year.

Talk to us

Ready to scope a higher education engagement?

Same-day reply during business hours. NDA on request before discovery.

Request servicesTalk to a practice lead

Identity that survives the federation handoff.

Use cases we have shipped in higher education.

Student lifecycle from admit to alumni

Faculty + staff lifecycle with appointment cycles

InCommon federation participation

Shibboleth + SimpleSAMLphp stewardship

Research data access governance

Privileged access for research computing

Customer identity for online learning

The buyer archetypes we have shipped programs for.

Practices that anchor this industry.

Identity Governance Administration

Privileged Access Management

Custom Iam Development

Common questions.

Ready to scope a higher education engagement?

Identity that survives the federation handoff.

Use cases we have shipped in higher education.

Student lifecycle from admit to alumni

Faculty + staff lifecycle with appointment cycles

InCommon federation participation

Shibboleth + SimpleSAMLphp stewardship

Research data access governance

Privileged access for research computing

Customer identity for online learning

The buyer archetypes we have shipped programs for.

Practices that anchor this industry.

Identity Governance Administration

Privileged Access Management

Custom Iam Development

Common questions.

Ready to scope a higher education engagement?