The Challenge
This Ivy League research university presented one of the most architecturally complex identity challenges in our history. The institution encompassed 11 academic schools — Management, Law, Medicine, Engineering, and more — each with its own authoritative data source, user schema, and identity lifecycle. Two affiliated teaching hospitals maintained separate clinical identity systems governed by HIPAA. Three government research institutions with funding and research partnerships required federated access with strict data sovereignty controls. The result was a fractured identity landscape where a single person — a medical school professor who also held a hospital appointment and led a government-funded research lab — could exist as three or more distinct identities with no correlation between them. Legacy Oracle Identity Manager (OIM) underpinned the existing governance layer, but it could not reconcile the schema conflicts, overlapping populations, or complex affiliation hierarchies that defined this environment.
Our Approach
Conducted a comprehensive identity audit across all 16 institutions — 11 schools, 2 hospitals, 3 government research partners — mapping every authoritative source, user schema, attribute taxonomy, and lifecycle rule. Identified critical data quality issues including duplicate identities, conflicting attributes, and orphaned accounts spanning academic, clinical, and research populations.
Deployed Radiant Logic Virtual Directory Services (VDS) as the identity virtualization bridge between all disparate authoritative sources. Designed complex global interception scripts and virtualized views to normalize incompatible schemas — resolving attribute conflicts, deduplicating cross-institutional identities, and constructing a unified user schema without requiring any source system to change its native data model.
Rebuilt the centralized Active Directory and ADFS infrastructure from the ground up — designing an OU structure that reflected the university's complex organizational hierarchy while supporting the affiliation model (a user can simultaneously be faculty in Medicine, staff at the hospital, and a PI on a government grant). SailPoint IIQ replaced legacy OIM for identity governance, with lifecycle rules that respected the multi-affiliation reality of academic identity.
Implemented SiteMinder and Shibboleth for SSO across academic and research applications — SiteMinder for enterprise and administrative systems, Shibboleth for InCommon and eduGAIN federated research applications. Both IdPs sourced identity from the unified VDS layer, ensuring consistent authentication regardless of which school, hospital, or research institution the user belonged to.
Engagement Timeline
Institutional Audit & Schema Mapping
Weeks 1-4Identity audit across all 16 institutions, authoritative source catalog, schema taxonomy analysis, data quality assessment, duplicate and orphan identification.
VDS Architecture & Interception Design
Weeks 5-8Radiant Logic VDS deployment, global interception script development, complex view design for schema normalization, cross-institutional identity correlation logic.
Directory Rebuild & IGA Deployment
Weeks 9-14Active Directory and ADFS ground-up rebuild, OU hierarchy design for multi-affiliation model, SailPoint IIQ deployment replacing legacy OIM, lifecycle rule configuration.
SSO Federation & Integration
Weeks 15-18SiteMinder deployment for enterprise SSO, Shibboleth configuration for InCommon/eduGAIN federation, IdP-to-VDS integration, multi-institution authentication testing.
Validation & Operational Handoff
Weeks 19-20Cross-institutional identity validation, multi-affiliation lifecycle testing, SSO regression across all 16 institutions, runbook delivery, hypercare.
The Results
All 16 institutions — 11 academic schools, 2 hospitals, 3 government research partners — unified into a single identity fabric through Radiant Logic VDS, with zero disruption to existing source systems.
Complex multi-affiliation identities resolved — users with appointments across schools, hospitals, and research institutions now represented as a single correlated identity with all affiliations intact.
Centralized Active Directory and ADFS rebuilt from the ground up with a schema that supports the full complexity of academic identity — nested affiliations, time-bound appointments, cross-institutional roles.
Unified SSO via SiteMinder and Shibboleth — students, faculty, staff, clinicians, and researchers authenticate once and access applications across all 16 institutions seamlessly, including InCommon-federated research platforms.
"Our identity landscape was the most complex I have ever seen — 11 schools, 2 hospitals, 3 government partners, and users who exist in multiple institutions simultaneously. TechSquad did not simplify by cutting corners. They built a virtualization layer that respects every source system while giving us, for the first time, a single view of every identity. The VDS interception scripts alone were a work of engineering art."
CIO, Ivy League Research University
Technologies Deployed
Related Case Studies
National Health IT Enterprise
End-to-end identity automation — building a fully automated zero-trust pipeline from cloud infrastructure provisioning through federated just-in-time access with automated session cleanup.
Orphaned accounts eliminated
Provisioning time reduction
Standing cloud privileges
Global Travel Technology Provider
Legacy modernization of 340+ applications, consumer-facing partner platform identity, cloud-native authorization for Kubernetes microservices — and an active credential compromise requiring immediate threat response.
Apps migrated to Okta OIE
Threat actor identified
Repeat incidents post-remediation
Global Hospitality Leader
Complete identity modernization across 6,000+ properties — migrating legacy SiteMinder and CA IDM, enabling contactless mobile guest experiences, and implementing network security at global scale.
Properties unified
Helpdesk ticket reduction
Global auth latency
Fortune 500 Healthcare
Identity consolidation — unifying 12 disparate identity stores from M&A activity into a single governed view without data migration.
Identity stores unified
Provisioning time
Downtime during migration
Global Luxury Retail Brand
Enterprise-wide identity modernization for a global luxury retailer — migrating 500+ apps from PingFederate to Okta OIE, automating lifecycle management for workforce and retail store users, and achieving passwordless authentication on managed devices.
Apps migrated to Okta OIE
Managed device passwordless
Manual enrollment steps
Top-Tier Global Bank
Full identity modernization for a top-tier global bank — replicating the enterprise identity stack (Okta OIE, SailPoint ISC, Delinea, device compliance, passwordless) and then migrating 380+ customer-facing applications from Okta OIE to Okta CIC for consumer identity.
Apps migrated OIE → CIC
Workforce apps on Okta OIE
Customer auth disruptions
National Health Insurance Provider
Post-divestiture CIAM transformation — silently migrating 6.5 million consumer identities from Okta OIE to Auth0 for a public-facing healthcare enrollment platform, with zero user disruption and full CI/CD automation.
Users silently migrated
User-reported issues
CI/CD automated