At BART, identity is managed through OneLogin as the central SSO platform for the organization’s 4,000+ employee workforce. SSO integrations are configured using SAML 2.0, OAuth 2.0, and SCIM depending on what each application supports. SAML is the primary protocol for third-party SaaS applications; OAuth 2.0 is used for applications requiring delegated authorization flows; SCIM handles automated provisioning and deprovisioning between OneLogin and downstream applications so account state stays synchronized without manual intervention.
MFA enforcement was rolled out across the organization. This included configuring MFA policies in OneLogin, defining which authentication factors were acceptable per application risk tier, and working through the rollout with end users — handling exceptions, re-enrollment for users who lost access to their second factor, and policy documentation for compliance purposes.
Account provisioning and deprovisioning follows role-based access policies. New accounts are provisioned with access scoped to what the role requires, not a flat default set. Access reviews surface accounts with stale group memberships or application entitlements that no longer match the user’s current role. Deprovisioning is treated as a security control — accounts are disabled promptly on separation and access is removed from downstream applications via SCIM or manual revocation where SCIM is not available.
This work touches the full identity lifecycle: onboarding, role changes, access escalations, and offboarding, all documented to support audit trails.
On-premises identity is anchored in Active Directory. This includes managing user accounts, security groups, and Group Policy Objects. Security group membership controls access to shared resources and is the mechanism downstream SAML assertions and application entitlements often derive from. GPO management covers workstation configuration, software restriction policies, and security baseline enforcement applied across OUs.
At MSTS, access provisioning and deprovisioning is governed by DOE clearance requirements. Access to systems — both classified and unclassified — is tied to the user’s clearance level and a verified need-to-know for the specific resource. This is not discretionary: access is provisioned only after clearance verification and documented authorization, and it is revoked immediately when the need-to-know ends or clearance status changes.
The operational environment includes both classified and unclassified networks with separate access controls. Managing access across both requires careful adherence to classification-based access policies and audit-ready documentation for every provisioning and deprovisioning action.
Azure Active Directory is used for cloud identity and M365 access management. This includes managing user accounts and groups in Entra, configuring conditional access policies, and maintaining M365 licensing assignments. Azure AD connects to the on-premises AD environment, and identity changes propagate between both directories according to hybrid identity configuration.