EIDM to IDM Migration Overview
CMS’ modernized its enterprise-wide Identity Management (IDM) system in the first quarter of 2021. As a result, the previous identity management solution (EIDM) is in the process of being decommissioned. All integrated applications, along with their existing users, have been migrated to the new IDM system. During the migration, all user accounts, including application roles, were migrated to the new IDM system.
IDM continues to provide our business partners with a means to create a single User ID that can be leveraged to access multiple CMS applications. The modernized IDM system leverages Commercial Off-The-Shelf (COTS) software, which improves overall system maintainability and scalability, while also improving the efficiency at which new applications can be integrated.
On this website, you will find information about the completed migration effort. You can also access the IDM User Guide (PDF), which documents how to register an IDM User ID, login to IDM, and request an application role. Additionally, information regarding the Tier 1 Help Desk that supports your application can also be found here in the event that you require assistance.
What End Users Can Expect on When They Login to IDM
Users are currently able to access their application through IDM. During the migration process, all user data and role information was transitioned to IDM, so users are able to login using their existing User ID and password.
If required to complete Multi-Factor Authentication at login, the user’s email address serves as their default MFA device during their initial login. Once successfully logged in, the user can add additional MFA devices to their profile.
One Security Question and Answer (SQA) was migrated from EIDM to IDM. Users that have issues during their first login are able to use their migrated SQA to conduct the necessary self-service function to log into their account.
Users that have login issues that cannot be alleviated through the self-service functionalities should contact their Application's Tier 1 Help Desk for assistance.
Changes to Expect in IDM
A considerable effort was made to ensure a persistent user experience in IDM; however, there are some changes that end users should take note of during the first login to IDM. These changes include the following:
Application Access & New IDM User Interface (UI)
If you access your application through the CMS Enterprise Portal UI then your user experience will not change. You will continue to login through the Portal UI, and access your application by selecting the appropriate application tile on the landing page.
If you access your application by entering the application’s URL directly into your browser then your user experience will change slightly, as you will now conduct role and profile management activities in the new IDM UI. Please bookmark the IDM UI URL so that you can update your IDM account (add new MFA devices, change password, etc.) and request additional application roles.
CMS IDM User Interface: https://home.idm.cms.gov/
Annual Certification (AC)
AC is not part of IDM’s Minimal Viable Product (MVP), so it will not be immediately available after go-live. AC is in IDM’s backlog, and will be developed and deployed in IDM in time for approvers to recertify their users for calendar year 2022.
EUA Applications & Users
EUA applications integrated with IDM that access their application through the CMS Enterprise Portal UI will be required to go through MFA. Please note that if a user attempts to access their application while connected to CMS NET, they will bypass MFA. However, if that same user attempts to login to their application over the internet, through the .gov URL, then they will be prompted to complete MFA before being allowed to continue on to the application.
The default MFA device for EUA users is the email that is tied to their EUA account. To ensure users have access to that email address, we encourage users to login to EUA and check the email address that is associated with their EUA profile prior to logging into IDM. If you can access the email that is shown in EUA, then you will be able to complete MFA at login. If you cannot access that email address, then you will need to update the email address in EUA to one that you can access.
Within Application Search in the Help Desk UI, search results are limited to 50 records; in Enterprise Search, results are limited to five records. Search results that exceed this limit must provide additional parameters to refine their search.
Within IDM, Help Desk users cannot manage the MFA devices of end users. They can view the devices associated with a user’s account, but they cannot add or remove devices. Additionally, Help Desk users can not generate a onetime MFA code for end users. The only MFA related support that a Help Desk user can provide is to change the email address of an end user.
Multi-Factor Authentication (MFA)
The MFA provider changed from Symantec in EIDM to Okta in IDM; as such, we were unable to migrate MFA data to the new system. Users who are required to complete MFA at login will do so using their email address at during their first login. The email address associated with the user’s account is the default MFA device for all users. We strongly encourage users to add supplementary devices to their account after their first login. MFA devices will no longer lock after multiple failed attempts. Finally, the available factors have also changed in IDM. The five available MFA devices in IDM are:
- Email – Default
- Short Message Service (SMS) – Text Message
- Interactive Voice Response (IVR)
- Okta Verify – Smart Phone Application
- Google Authenticator – Smart Phone Application
Security Question & Answer (SQA)
The number of SQA associated with an account have decreased from three in EIDM to one in IDM. To assist users with their first login, we migrated one SQA at random from EIDM to IDM. Users can leverage their migrated SQA to complete self-service functions in IDM at first login. Once logged into the system, users can modify their SQA.