Pavia is an Italian state university officially established as a Studium
Generale by Emperor Charles IV in 1361.
It is one of the oldest universities in Europe, part of the Coimbra Group (European association grouping 39 universities, some of them among the oldest and most prestigious in Europe, founded in 1985 and formally constituted in 1987).
Recently, a discussion arouse around the benefits brought by the deployment
of a complete solution of Identity & Access Management (IAM) into the IT
infrastructure of this prestigious university. At the end of some considerations
about the current physical access control systems, it has been concluded that
the realization of this solution would imply a double benefit: it would firstly
allow to address the need to improve the current mechanisms to control the
access to online resources, and secondly permit to improve the access control to
physical resources, like as car parks and restricted areas.
By including physical resources, the discussion has been moved to a higher level: from a classic IAM solution it has become the evaluation of a Physical Identity & Access Management (PIAM) solution.
A PIAM project has been identified that, for dimensions, complexity,
uncertainty about requirements and existence of possible alternatives, required
a deep study in advance.
Such in-depth analysis has been the result of a feasibility study which took into account all the IT systems involved in the project area, both hardware and software.
The solution proposed by Tirasa is shown in the figure below.
The proposed solution enlists peripheral systems, car parks, restricted areas and libraries, shown on the left side of the figure, that communicate via HTTP(s) with the central system. Such system, providing all the functionalities for Identity Management, Access Control and Single Sign-On, is based on two main components:
All the other resources highlighted in this study rotate around this central
Such resources are generally affected by data synchronization operations. From these, the IdM retrieves the information to be synchronized locally.
The resources attached to the peripheral systems are not affected by any of
the data provisioning operation. They are connected to the central system for
the verification of credentials and permissions.
Online resources as well, although in a different way, are connected to the central system for the same reasons.