The University of Basel is fundamentally modernizing its historically grown and complex IAM landscape. Instead of a multitude of different identity providers and inconsistent MFA procedures, a central Identity Fabric now consolidates up to 30,000 user accounts, standardizes authentication processes, and closes security gaps.
In collaboration with iC Consult, the university is introducing a central identity provider and a Privileged Access Management (PAM) solution – laying the foundation for enhanced security, reduced attack surfaces, and significantly simplified administration.
Content
Customer & Project Overview
Customer Profile
Industry: Public Sector
Headquarters: Basel, Switzerland
Employees: > 5,000
Number Identities: 30. 0000
Founded in 1460, the University of Basel is the oldest university in Switzerland. With a total of seven faculties, it is a research-intensive, internationally oriented institution with a strong focus on life sciences and medicine. Today, the University of Basel has around 13,000 students from over 100 nations, as well as approximately 3,000 researchers, doctoral candidates, and postdocs. International university rankings place it among the top 150 universities worldwide and among the top 15 in the German-speaking region.
Design and implementation of a scalable Identity Fabric architecture and a robust Privileged Access Management solution using PingAM and One Identity Safeguard for up to 30,000 internal and external identities, including migration
- One Identity Safeguard
- Ping Identity Platform
- System Integration by iC Consult
Results
Consolidation of up to 30,000 active identities into a unified Identity Fabric with consistent security and data protection standards
Implementation of a central Identity Provider (IDP) based on Ping Identity technology across the entire application landscape to standardize authentication and MFA processes
High scalability enabled by a modular architecture, allowing for the future integration of hundreds of additional applications
Integration of all administrators of the central IT provider “IT Services” into the PAM solution One Identity Safeguard for centralized control of privileged access
Fully automated password rotation for privileged accounts to minimize the risk of misuse and increase compliance
Seamless implementation of One Identity Safeguard, with standard use cases successfully realized within six months
Situation
The University of Basel faced the challenge of consolidating and modernizing its identity management environment, which had evolved over many years and become highly fragmented. Numerous faculties and external institutions were using different identity providers and MFA procedures – with varying security and data protection standards. The result: high administrative effort, complex processes, and increased security risks.
Until now, the university relied exclusively on SAP’s integrated identity management functionalities. When the ERP provider announced in 2020 that certain IAM components would only be supported until 2027, it became clear that a viable alternative needed to be identified and implemented in good time.
With the appointment of project lead in January 2021, Alexander Kessinger, Team Lead Identity & Access and Windows Services & Groupware, decided to reposition the topic from the ground up – not only technically, but strategically. His goal: a secure, future-proof, and holistic Identity & Access Management framework. The roadmap included consolidating the distributed identity providers, introducing Privileged Access Management (PAM), and firmly embedding governance. In the long term, identities, access rights, governance, and privileged accounts were to be brought together in a single unified self-service platform.
To award the contract, the university launched a two-stage public tender process. The requirements were divided into three lots:
- Lot 1: Identity Provider and Privileged Access Management
- Lot 2: Identity Governance Administration
- Lot 3: Unified Self-Service Portal
iC Consult was awarded the contract for Lot 1. Decisive factors included the experience, cultural fit, and trust in a collaborative partnership. “It was particularly important for us to have a partner who understands our culture, takes our needs seriously, and can reliably support us at all times,” emphasizes Alexander Kessinger.
Before the project could begin, the formal requirements of the public sector had to be fulfilled: a comprehensive proof of concept as well as an information security and data protection concept (ISDS) required by the canton to ensure that the protection of critical data and information would be guaranteed at all times.
Solution
Central Identities and Protected Privileges in the New IAM Architecture
Following the successful proof of concept, the University of Basel, together with iC Consult, began implementing the new Identity Fabric. The first step was the introduction of a central Identity Provider (IDP).
Over many years, a heterogeneous landscape had developed at the university: each faculty and numerous external institutions – including the affiliated university hospitals – had implemented their own solutions and different multi-factor authentication methods. Some systems were connected to Active Directory, others to Microsoft Entra ID or to SWITCH edu-ID, the nationwide and globally federated login for members of Swiss higher education institutions. This situation resulted in a complex architecture that was difficult to manage and presented numerous potential points of attack.
The objective was clear: in the future, all authentications should run through a central IDP – with uniform and consistent MFA. Regardless of which application is accessed, the login process would always be routed through the same solution.
From a product perspective, the experts at iC Consult recommended the use of Ping Identity. The decisive factors were the platform’s flexibility and high scalability, enabling the university’s specific requirements to be precisely mapped – particularly with regard to the planned integration of hundreds of applications.
Our priority was to find a partner who not only delivers the best technological fit, but also builds the necessary trust and aligns with us on a human level.
Alexander Kessinger, Team Lead Identity & Access and Windows Services & Groupware, University of Basel
Security, Control, and Transparency – Powered by One Identity Safeguard
The second key building block was the introduction of a comprehensive PAM solution for accounts with extensive privileges – particularly IT administrators. The focus was on centralizing access to privileged accounts, securing it according to the principle of least privilege, and ensuring that all activities on target systems are fully documented and traceable.
iC Consult implemented One Identity Safeguard as the central PAM solution. The software was deployed as a hardened virtual appliance and integrated on-premises into the existing VMware environment. Following the base installation, it was connected to Active Directory, enabling all authorized users to log in seamlessly with their existing accounts. Safeguard automatically detects privileged accounts via a discovery mechanism and continuously synchronizes them.
To prevent security risks associated with reused or long-standing passwords, the solution automatically generates passwords, changes them after a single use, and injects them directly into target systems during RDP sessions via credential injection. This eliminates manual password handling and drastically reduces the risk of misuse. At the same time, all privileged sessions can be monitored and recorded if necessary – making a significant contribution to compliance, auditability, and full traceability. “Safeguard acts as a gatekeeper between privileged users and their target systems, ensuring that they receive only the access rights they truly need,” explains Floyd Spuhler, Senior Consultant & PAM Lead at iC Consult.
Outlook
IAM Modernization with a Clear Target Vision
To ensure a smooth transition, identities and access rights will initially continue to be managed via the existing SAP Identity Management solution. At the same time, the central Identity Provider has already assumed control of authentication at an early stage. In parallel, the university is gradually migrating all accounts to the new Identity Fabric. The replacement of SAP IdM with the IGA component is planned by the end of 2027; by then, all human and non-human accounts are to be consolidated within the central Access Manager.
A key aspect of the project is the gradual build-up of expertise required for the independent operation of the IDP solution. The experts at iC Consult are therefore supporting the University of Basel with continuous training measures to sustainably strengthen internal IAM competencies. The goal is to enable the team, in the long term, to independently manage and operate the entire Identity Fabric landscape.
The results achieved so far underline the success of the initiative:
- 30,000 identities – including 13,000 students, 5,000 employees, and 12,000 doctoral candidates, researchers, postdocs, NHI, service and functional accounts, associates, guests, and external users – have already been migrated to the Identity Fabric.
- The PAM solution based on One Identity Safeguard was installed within just six months and standardized for initial use cases.
- The solution lays the foundation for reduced administrative effort and a smaller attack surface, while at the same time increasing governance and transparency. It also benefits end users by reducing complexity through the automated management of privileged accounts in Safeguard in line with the least-privilege principle.
“These milestones give us great confidence for the future and confirm that we are on the right track. The strengths of our modern architecture have also been demonstrated in initial BCM tests,” emphasizes Kessinger.
With this foundation in place, the University of Basel is ideally positioned to independently advance its security and governance strategy over the long term and to flexibly address future requirements.