Integration

Step 1: Understand the Concepts

When considering the development or acquisition of a new software product, it is important to understand some core identity management concepts. For example: What is the different between AuthenticationAuthentication Authentication determines whether the user is who they claim to be. and AuthorizationAuthorization Authorization determines whether an authenticated user is allowed to access a specific resource or take a specific action.? (Importantly, Enterprise Authentication provides authentication, not authorization.) What is the difference between the UT Electronic Identifier (UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See EID in the service catalog for more information.), the eduPersonPrincipalName (ePPNePPN The eduPersonPrincipalName (ePPN) (format: <eid>@utexas.edu) is an attribute which is part of the eduPerson LDAP schema.), and the Institutional Identifier (IIDIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement.)? Which identifier should you request?

Prior to submitting an integration request, review the following documentation:

• Identity Concepts
• Questions for Consideration
• The Beer Drinker’s Guide to SAML
• How Shibboleth Works

Step 2: Review the Requirements

Prior to purchasing a vendor solution, please review our Vendor Requirements to ensure that your solution will work with our Identity Provider (IdPIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team.).

Your SAMLSAML Security Assertion Markup Language (SAML) is a standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers. This standard is currently used by Enterprise Authentication (as well as hundreds of service providers that integrate with our identity providers). Service Provider (SPSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP.) will generate metadata which provides our IdP with instructions on how to interact with your SP. Please ensure that your metadata can meet our Metadata Requirements.

Step 3: Submit a Request

Please note that the typical turnaround time to onboard a new authentication integration is 4 – 6 weeks. This may increase to 10 – 12 weeks during times of high demand (e.g., before the start of a new semester).

If you are working with a 3rd party vendor, you may provide them with a vendor-friendly questionnaire . (You will use their response to fill out the above Integration Request form.)

Step 4: Await the Approvals

After review, the IAM Team will facilitate the following on your behalf:

• The Authentication Acceptable Use Policy will need to be acknowledged and signed by your department.
• The UT Information Security Office (ISO) will review and approve your submitted documents.
  • If you are partnering with an external vendor, you may need to comply with UT-IRUSP Standard 22: Vendor and Third-Party Controls and Compliance .
  • If you plan to receive cloud computing services, the services may need to be compliant with the Texas Risk and Authorization Management Program (TX-RAMP) .
  • If applicable, you will have to meet the SaaS/PaaS Minimum Security Standards .

Step 5: Configure, Test, and Verify

Once the ISOISO The Information Security Office (ISO) is the university’s information security team. has approved your integration documentation, we will assign your request to one of our integration engineers who will work with you to configure, test, and verify your integration.

• KB0017849: Shibboleth Service Provider (SP) Examples
• KB0017850: SimpleSAMLphp Examples
• KB0017626: SAML Customer Testing Checklist

Afterward: Change Requests

If you would like to make a change to an existing authentication integration, please review our Change Request process.

Questions

If you have any questions throughout this process, please e-mail us at iam-integrations@utlists.utexas.edu.