Identity and Access Management

Identity and Access Management (IAM) is about linking persons and systems to campus services and data resources. IAM services are about identifying persons, their relationship(s) to the university and campus, and facilitating their access to the resources that their roles and relationships require. The key components in these services are authoritative person data, user (account) services that connect people to applications and resources, authentication (ensuring that you are who you say you are) and authorization (confirming that you are permitted or entitled to do these things.)

IAM services rely on trustworthy university data (Campus Solutions and HRMS records) to identify faculty, staff, students and other campus community members and to provide information and some level of assurance that these persons are who they say they are. IAM services are influenced heavily by the content of this university "source" data and are subject to data appropriate use and security policies and procedures.

ServiceWho May Get ItFeatures
IdentiKey (Authentication Services)

Students, faculty, staff, graduates, retirees and POIs

Other customers, including sponsored affiliates and campus participants from groups and organizations doing work with or on behalf of CU Boulder

  • Your key to online campus resources like portal systems, email services, UCB Wireless and CU Boulder's learning management systems.
  • An IdentiKey represents a personally identified account. It authenticates you, granting access to CU and CU Boulder computing resources according to your relationship(s) with the university.
IdentiKey ManagerAll CU Boulder community members and affiliates with a CU Boulder IdentiKey
  • Activate your IdentiKey account(s)
  • Change your password and security questions
  • Choose your display name
  • Manage your email addresses
  • Activate non-primary accounts
Enterprise Access Management (Grouper)Faculty, staff and student employees who have been provided access to the tool
  • Access to automated groups, such as departments, job codes, affiliation, and description to create composite groups that can be catered to your access needs
  • Management of Exchange Distribution Lists
Microsoft Multi-Factor AuthenticationFaculty, staff, students and affiliates using Microsoft 365
  • Microsoft MFA is required to log in to Microsoft 365 apps.
Duo Multi-factor Authentication

Faculty, staff and students accessing MyCUInfo or Buff Portal

System administrators and some staff with privileged access for additional services

  • Duo MFA is required to log in to Buff Portal and MyCUInfo.
  • OIT requires Duo MFA for system administrators and others privileged access connecting from off-campus to critical systems.
Single Sign On (SSO)System administrators have access to request single sign on for their serviceIdentity and Access Management can enable Microsoft Entra or Federated Identity Service (Shibboleth) for users looking to simplify access to your software-as-a-service (SaaS) apps.

Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) increases account security by using multiple forms of verification to prove your identity when signing in to an application. CU Boulder uses two different products for MFA to access different services: Duo MFA for access to Buff Portal and MyCUInfo, and Microsoft MFA for Microsoft 365 applications. To learn more, enroll or troubleshoot either product, please visit the pages below.

Duo MFA for Buff Portal and MyCUInfo

Microsoft MFA for Microsoft 365

Related Policies