New Authentication Integrations

Step 1: Understand the Concepts

When considering the development or acquisition of a new software product, it is important to understand some core identity management concepts.

For example: What is the different between AuthenticationAuthentication Authentication is the act of determining that a person is who they claim to be. For more information, see our Concepts page. and AuthorizationAuthorization Authorization refers to the act of determining whether an authenticated user is allowed to access a specific resource or take a specific action. For more information, see our Concepts page.? (Importantly, Enterprise Authentication provides authentication, not authorization.) What is the difference between the UT Electronic Identifier (UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information.), the eduPersonPrincipalName (ePPNePPN The eduPersonPrincipalName (ePPN) (format: <eid>@utexas.edu) is an attribute which is part of the eduPerson LDAP schema.), and the Institutional Identifier (IIDIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement.)? Which identifier should you request?

Prior to submitting an integration request, review and become familiar with the following documentation:

• Identity Concepts for Authentication Integration
• Questions for Consideration
• Choosing the Right Attributes
• The Beer Drinker’s Guide to SAML
• How Shibboleth Works
• Vendor Help (if you are the vendor)

Additionally, you may find it helpful to review this entire page prior to submitting any requests.

Step 2: Review the Requirements

Vendor Requirements

Prior to purchasing a vendor solution, please review our Vendor Requirements to ensure that your solution will work with our Identity Provider (IdPIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. The IdP manages the user's primary authentication credentials and issues assertions derived from those credentials. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team. For more information, see our Concepts page.).

Metadata Requirements

Your SAMLSAML Security Assertion Markup Language (SAML) is a standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers. This standard is currently used by Enterprise Authentication (as well as hundreds of service providers that integrate with our identity provider). Service Provider (SPSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP. For more information, see our Concepts page.) will generate metadata which provides our IdP with instructions on how to interact with your SP. Please ensure that your metadata can meet our Customer Metadata Requirements.

State Requirements

In accordance with Texas Government Code § 2054.0593 cloud computing services must comply with Texas Risk and Authorization Management Program (TX-RAMP) requirements. External vendors are strongly encouraged to become TX-RAMP certified.

Step 3: Submit a Request

Please note that the typical turnaround time to onboard a new authentication integration is 4 – 6 weeks. This may increase to 10 – 12 weeks during times of high demand (e.g., before the start of a new semester).

If you are working with a 3rd party vendor, you may provide them with a vendor-friendly questionnaire . (You will use their response to fill out the above Integration Request form.)

Step 4: Await the Approvals

After review, the IAMIAM Identity and Access Management (IAM) is a set of policies, processes, and technologies designed to ensure that the right individuals (identities) have the right access to resources within an organization. IAM involves managing and securing digital identities, controlling access to systems and data, and maintaining the confidentiality, integrity, and availability of information. Team will facilitate the following on your behalf:

• The Authentication Acceptable Use Policy will need to be acknowledged and signed by your department. This AUPAUP An Acceptable Use Policy (AUP) is a document that outlines a set of rules to be followed by users or customers of a set of computing resources. An AUP clearly states what the user is and is not allowed to do with these resources. will need to be renewed on an annual basis.
• The UT Information Security Office (ISO) will review and approve your submitted documents.
  • If you are partnering with an external vendor, you may need to comply with UT-IRUSP Standard 22: Vendor and Third-Party Controls and Compliance .
  • As previously mentioned, if you plan to receive cloud computing services, the services may need to be compliant with the Texas Risk and Authorization Management Program (TX-RAMP) .
  • If applicable, you will have to meet the SaaS/PaaS Minimum Security Standards .

Step 5: Configure, Test, and Verify

Once the ISOISO The Information Security Office (ISO) is the University’s information security team. has approved your integration documentation, we will assign your request to one of our integration engineers who will work with you to configure, test, and verify your integration.

Configuration

We have published the most basic technical information you’ll need on Authentication Integration Technical Details.

• KB0017849: Shibboleth Service Provider (SP) Examples
• KB0017850: SimpleSAMLphp Examples
• KB0018251: Service Providers which do not support hosted metadata
• KB0017612: Error: Application Not Registered
• KB0017613: Error: Security Configuration Error
• KB0017614: Error: Stale Request
• KB0017615: Error: Unable to Respond
• KB0017620: Identity Provider and Service Provider Single Log Out
• KB0018076: Implementing Step-Up Multifactor Authentication with the Shibboleth SP

Testing

• KB0017626: SAML Customer Testing Checklist

While the IAM Team will assist with configuration and troubleshooting, you and your department are ultimately responsible for testing your integration and verifying that it meets your needs.

FAQs

We answer many common questions in our ServiceNow knowledge articles. Some examples:

• KB0018361: About Enterprise Authentication Session Timeout
• KB0018649: Enterprise Authentication and Multi-Factor Authentication
  • Who can sign up for Multi-Factor Authentication?
  • Who is required to authenticate using Multi-Factor Authentication?
• KB0018095: To which identity federations does the university belong?

For more helpful information, see our ServiceNow knowledge articles.

Questions

If you have any questions throughout this process, please e-mail us at iam-integrations@utlists.utexas.edu.