The scope of what we mean by Identity Management includes not only our own login identifiers (e.g. username) but also devices, services, groups, and any other unique online name/identifier that SLAC must associate uniquely with someone or some thing.
For years, SLAC staff have performed work with multiple user identities (i.e. SLAC ID and SUNetID) depending upon the application context. By policy and good identity practice, each of these person login identifiers must be unique and uniquely associated with a specific person in a system of record. The system of record for people for SLAC ID has been a combination of customized enterprise products and many bespoke applications and databases. SUNetID is similarly designed as a combination of source person identity data.
"...a typical person doing work at SLAC simply thinks of identity in terms of their own usernames..."
Understandably, a typical person doing work at SLAC simply thinks of identity in terms of their own usernames, passwords, and multifactor authenticators (e.g. Duo mobile app). Behind those identifiers, are person identity records which comprise data associated with each person: identity metadata. While some of a person's identity metadata is highly sensitive and therefore highly restricted, other identity metadata is used commonly for online transactional purposes. Examples of identity metadata are institutional affiliation, email address, and employment status.
"...zero-trust requires that any user, device, or service that is accessing resources must be known..."
For many of the same reasons that SLAC must verify the identity of people who interact with lab resources, it is important to verify the unique identity of the devices used to interact with lab resources. Additionally, basic security checks must be validated on a recurring basis to satisfy DOE compliance criteria as a DOE complex facility. The term for this security model is "zero-trust" architecture. The basic concept of zero-trust requires that any user, device, or service that is accessing resources must be known as a registered identity, and can additionally require certain mandatory security posture standards be met in order to access institutional resources.