Step 1: Understand the Concepts
When considering the development or acquisition of a new software product, it is important to understand some core identity management concepts.
For example: What is the different between AuthenticationAuthentication Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to a system’s resources. and AuthorizationAuthorization Access privileges granted to a user, program, or process or the act of granting those privileges.? (Importantly, Enterprise Authentication provides authentication, not authorization.) What is the difference between the UT Electronic Identifier (UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See EID in the service catalog for more information.), the eduPersonPrincipalNameePPN The eduPersonPrincipalName (ePPN) (format: <eid>@utexas.edu) is an attribute which is part of the eduPerson LDAP schema. (ePPNePPN The eduPersonPrincipalName (ePPN) (format: <eid>@utexas.edu) is an attribute which is part of the eduPerson LDAP schema.), and the Institutional IdentifierIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement. (IIDIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement.)? Which identifier should you request?
Prior to submitting an integration request, review and become familiar with the following documentation:
- Identity Concepts
- Questions for Consideration
- Choosing the Right Attributes
- The Beer Drinker’s Guide to SAML
- How Shibboleth Works
Additionally, you may find it helpful to review this entire page prior to submitting any requests.
Step 2: Review the Requirements
Prior to purchasing a vendor solution, please review our Vendor Requirements to ensure that your solution will work with our Identity ProviderIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. The Identity Provider (IdP) manages the user's primary authentication credentials and issues assertions derived from those credentials. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team. (IdPIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. The Identity Provider (IdP) manages the user's primary authentication credentials and issues assertions derived from those credentials. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team.).
Your SAMLSAML Security Assertion Markup Language (SAML) is a standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers. This standard is currently used by Enterprise Authentication (as well as hundreds of service providers that integrate with our identity provider). Service Provider (SPSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP.) will generate metadata which provides our IdP with instructions on how to interact with your SP. Please ensure that your metadata can meet our Customer Metadata Requirements.
Please note that, in accordance with Texas Government Code § 2054.0593 cloud computing services must comply with Texas Risk and Authorization Management Program (TX-RAMP) requirements. External vendors are strongly encouraged to become TX-RAMP certified.
Step 3: Submit a Request
Please note that the typical turnaround time to onboard a new authentication integration is 4 – 6 weeks. This may increase to 10 – 12 weeks during times of high demand (e.g., before the start of a new semester).
If you are working with a 3rd party vendor, you may provide them with a vendor-friendly questionnaire . (You will use their response to fill out the above Integration Request form.)
Step 4: Await the Approvals
After review, the IAM Team will facilitate the following on your behalf:
- The Authentication Acceptable Use Policy will need to be acknowledged and signed by your department. This AUP will need to be renewed on an annual basis.
- The UT Information Security Office (ISO) will review and approve your submitted documents.
- If you are partnering with an external vendor, you may need to comply with UT-IRUSP Standard 22: Vendor and Third-Party Controls and Compliance .
- As previously mentioned, if you plan to receive cloud computing services, the services may need to be compliant with the Texas Risk and Authorization Management Program (TX-RAMP) .
- If applicable, you will have to meet the SaaS/PaaS Minimum Security Standards .
Step 5: Configure, Test, and Verify
Once the ISOISO The Information Security Office (ISO) is the university’s information security team. has approved your integration documentation, we will assign your request to one of our integration engineers who will work with you to configure, test, and verify your integration.
- KB0017849: Shibboleth Service Provider (SP) Examples
- KB0017850: SimpleSAMLphp Examples
- KB0018251: Service Providers which do not support hosted metadata
- KB0017612: Error: Application Not Registered
- KB0017613: Error: Security Configuration Error
- KB0017614: Error: Stale Request
- KB0017615: Error: Unable to Respond
- KB0017620: Identity Provider and Service Provider Single Log Out
- KB0018076: Implementing Step-Up Multifactor Authentication with the Shibboleth SP
While the IAM Team will assist with configuration and troubleshooting, you and your department are ultimately responsible for testing your integration and verifying that it meets your needs.
We answer many common questions in our ServiceNow knowledge articles. Some examples:
- KB0018361: About Enterprise Authentication Session Timeout
- KB0018649: Enterprise Authentication and Multi-Factor Authentication
- Who can sign up for Multi-Factor AuthenticationMFA Authentication makes use of one or more factors of authentication: something you know (e.g., a password), something you have (e.g., your smartphone), or something you are (e.g., a fingerprint). Multi-Factor Authentication (MFA) makes use of two or more factors when authenticating you.?
- Who is required to authenticate using Multi-Factor Authentication?
- KB0018095: To which identity federations does the university belong?
For more helpful information, see our ServiceNow knowledge articles.
If you have any questions throughout this process, please e-mail us at email@example.com.