When considering the development or acquisition of a new software product, it’s important to understand some core identity management concepts to help ensure that the selected product will integrate well with the university identity environment.
- UT Electronic Identifier (UT EID) – The official public records identifier for the university.
Format: 2-8 characters, alphanumeric as well as hyphen (-), underscore (_), and period (.)
- eduPersonPrincipalName (ePPN) – Part of the eduPerson LDAP schema.
- Institutional Identifier (IID) – Designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement.
- Security Assertion Markup Language (SAML) v2.0 – An XML-based open standard for exchanging authentication and authorization information between identity providers and service providers.
- Shibboleth® – Shibboleth® is a standards-based (SAML2), open source software package for web single sign-on across or within organizational boundaries.
- Identity Provider (IdP) – A part that offers user authentication as a service. In this context, the IAM Team will provide the IdP for you to integrate with.
- Service Provider (SP) – The server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP.
- Attribute – Anything that the Identity Provider (IdP) knows about the end user that may be helpful to the Service Provider (SP).
- Metadata – In this context, a document which describes various technical aspects of an Identity Provider (IdP) or Service Provider (SP). Essentially, instructions which tell the IdP and the SP how to communicate with each other.
Identity Management Concepts
Authentication vs. Authorization
- Authentication – Authentication determines whether the user is who they claim to be.
- Authorization – Authorization determines whether an authenticated user is allowed to access a specific resource or take a specific action.
Accounts, Identifiers, and Identities
- Account – An account is the representation of a user within a particular system.
- Identifier – An identifier is how a user is labeled. In a system that uses UT EID-based single sign-on, the user account will be accessed using the UT EID as an identifier.
- Identity – An identity is the collection of accounts and identifiers associated with a particular person (or sometimes a non-person entity). An identity can be associated with multiple accounts and identifiers. For example, you may have multiple email accounts but all of those accounts belong to one identity (you).
Provisioning and Deprovisioning
The process of how user accounts are created when they are needed and how they are deleted, archived, or made inactive when no longer needed.
Identity Life Cycle
Like the real-world entities they represent, identities have a life cycle. Their connection to the University will change over time and the accounts and authorizations they have will also change accordingly. The identity itself does not go away.
When a user leaves the University (e.g. graduation, separation) their identity persists and they will continue to be able to authenticate using their UT EID. This allows individuals to later come back and apply for jobs, request transcripts, etc. Systems must take into account the current status of a user in their authorization schemes and change account authorizations when that status changes.
For example, if a student or employee leaves the university, the wireless network will note the change in affiliation and remove authorizations for wireless access.