Overview of UT Austin
The University of Texas at Austin (UT Austin) is a large, complex institution with approximately 53k students1, 4k faculty2, and 15k staff3. Colleges, schools, and units (CSUsCSU College, School, or Unit) are largely decentralized and independent. Centralized IT services are available through Information Technology Services (ITSITS Information Technology Services (ITS)), but many CSUs have their own budgets and will make their own spending decisions.
As an external vendor, this means that you may interact with many different specialized teams at the University. Among those is the Identity and Access Management (IAM) Team, sometimes incorrectly referred to as the “EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information. Team.” The IAM Team is a part of the centralized ITS organization.
Identity at the University
The IAM Team is responsible for several technical areas including identity management, authenticationAuthentication Authentication is the act of determining that a person is who they claim to be. For more information, see our Concepts page., and directory services.
The primary public records identifier at the University is the UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information.. The UT EID is used across campus to link administrative records to individuals, as well as for web-based Single Sign-On (SSOSSO Single Sign-On (SSO) is a service which allows a user to use one set of credentials to access multiple applications.).
Identity Management
The IAM Team manages identities using a combination of a custom, purpose-built systems and third party vendor software. The identity management layer of services receive data from various authoritative systems of record and coalesce them into coherent identity records.
For example, a student employee will have very different sets of data between the student registrar and human resources, but the IAM Team compiles it all into into a single record for a single individual.
Directory Services
The University has several centralized directory services including Austin Active Directory (Austin AD) and the uTexas Enterprise Directory (TEDTED The uTexas Enterprise Directory (TED) is the university’s enterprise directory. See uTexas Enterprise Directory (TED) in the service catalog for more information.), an LDAPv3LDAP Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories based on the standards contained within the X.500 standard, but is significantly simpler.-based directory service. The IAM Team is responsible for maintaining the identity data in these directory services, ensuring that it is up-to-date and accurate. The IAM Team also administers TED (but not Austin AD).
Authentication Services
The IAM Team also acts as the Identity ProviderIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. The Identity Provider (IdP) manages the user's primary authentication credentials and issues assertions derived from those credentials. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team. For more information, see our Concepts page. (IdPIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. The Identity Provider (IdP) manages the user's primary authentication credentials and issues assertions derived from those credentials. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team. For more information, see our Concepts page.) for authentication services using Enterprise Authentication, an implementation of the Shibboleth IdP which supports SAMLSAML Security Assertion Markup Language (SAML) is a standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers. This standard is currently used by Enterprise Authentication (as well as hundreds of service providers that integrate with our identity provider). and OpenID ConnectOIDC OpenID Connect 1.0 is an authentication layer built on OAuth 2.0 where the identity provider that runs the authorization server also holds the protected resource that the third-party application aims to access.. In this way, the IAM Team handles the complexities of authentication and identity data and your system never needs to handle a password, greatly reducing everyone’s risk.
You as the Service Provider
There are a number of ways in which we can assist your engagement with the University:
- Web-based SSO (Authentication).
- LDAPLDAP Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories based on the standards contained within the X.500 standard, but is significantly simpler. Directory Services.
- Attribute-Based Access Control (ABAC) via Group and Role Management.
- Customized UI for EID Creation.
Documentation
A good place to start if you want to learn about our environment holistically are the following:
If you’re just looking for web-based SSO, check out the New Authentication Integrations page.
On the other hand, if you want to jump right in to the technical stuff (note that much of this documentation is restricted-access but should be viewable by your University contact):
- Authentication
- About Our Identity Provider
- Authentication Integration Technical Details
- Customer Metadata Requirements
- Identity Provider and Service Provider Single Log Out
- Questions for Consideration
- SAML Customer Testing Checklist
- Service Providers which do not support hosted metadata
- Shibboleth Service Provider (SP) Examples
- SimpleSAMLphp Examples
- To which identity federations does the university belong?
- Directory Services
- Group and Role Management
- Identity Management
Advice
We also have some documentation with tips about how to best interact with our systems (in addition to the tips above):
Finally, some advice regarding identifiers and the UT EID:
Do not use the UT EID as an immutable identifier. While rare, it is possible for the UT EID to change. Ideally, your software has an internal identifier which can link to the UT EID. This way, if the UT EID changes, you can simply point the new UT EID to the existing record.
UT EIDs can be combined. This happens most frequently when applicants for admissions or job applicants inadvertently create multiple UT EIDs. Since we want all of an individual’s record in one place, administrative offices will merge the records. Be sure to have a plan for how to deal with this scenario.
We put a lot of effort into being standards-compliant. Hopefully, your application does, as well. In particular, our authentication services use the Security Assertion Markup Language (SAML) v2.0 standard which has been around since 2005.
Getting Help
If you need help, it’s best to start by reaching out to your University contact. Then, if needed, the sponsoring University department can reach out to our team. This approach provides the following benefits:
- The sponsoring University department is responsible and accountable for your engagement.
- Only the sponsoring University department can initiate an engagement with our team.
- We’ll know which of our 300+ customers you are working with.
- We won’t mistake your communication for an unsolicited sales contact.
Once contact has been initiated we’ll be happy to join you and your University contact on e-mail threads, conference calls, and the like. While our team primarily uses Microsoft Teams we also support Zoom and, depending on local machine policy, may be able to accommodate other protocols.