The Enterprise Directory (ED) is the enterprise system of record for identity and access management (IAM) for Virginia Tech. ED supports the following IAM capabilities:
- Authentication
- Authorization
- Directory services
- Single sign-on
The Enterprise Directory exposes two primary protocols for integration:
- LDAP - High-performance read-only services (authentication, authorization, directory searches)
- HTTP - REST API for read-write operations
Single sign-on services are provided by the Login Service that is built on top of the LDAP protocol interface.
Authentication
Virginia Tech user accounts, historically called “PIDs”, follow a lifecycle shown in the following diagram:
Two important policy points are notable in this diagram:
- Authentication is only permitted when accounts are in active state.
- Accounts can be easily resurrected from the first deprovisioning state, shelved, but not subsequent states.
A notable policy point not apparent from the diagram is that most accounts never reach shelved state. Only accounts like those of parents, contract employees, and guests are subject to deprovisioning. Thus Virginia Tech user accounts are typically “for life.”