When considering the development or acquisition of a new software product, it’s important to understand some core identity management concepts to help ensure that the selected product will integrate well with the university identity environment.
Basic Terminology
Identifiers
- UT Electronic Identifier (UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See EID in the service catalog for more information.) – The official public records identifier for the university.
Format: 2-8 characters, alphanumeric as well as hyphen (-), underscore (_), and period (.) - eduPersonPrincipalName (ePPNePPN The eduPersonPrincipalName (ePPN) (format: <eid>@utexas.edu) is an attribute which is part of the eduPerson LDAP schema.) – Part of the eduPerson
LDAPLDAP Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories based on the standards contained within the X.500 standard, but is significantly simpler. schema.
Format: <eid>@utexas.edu - Institutional Identifier (IIDIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement.) – Designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlementEntitlement An entitlement is an attribute which defines what an account is allowed or authorized to do..
Format: <eid>@eid.utexas.edu
Technologies
- Security Assertion Markup Language (SAMLSAML Security Assertion Markup Language (SAML) is a standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers. This standard is currently used by Enterprise Authentication (as well as hundreds of service providers that integrate with our identity providers).) v2.0 – An XML-based open standard for exchanging authenticationAuthentication Authentication determines whether the user is who they claim to be. and authorizationAuthorization Authorization determines whether an authenticated user is allowed to access a specific resource or take a specific action. information between identity providers and service providers.
- Shibboleth® – Shibboleth® is a standards-based (SAML2), open source software package for web single sign-on across or within organizational boundaries.
Components
- Identity Provider (IdPIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team.) – A part that offers user authentication as a service. In this context, the IAM Team will provide the IdP for you to integrate with.
- Service Provider (SPSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP.) – The server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP.
Other Terms
- Attribute – Anything that the Identity Provider (IdP) knows about the end user that may be helpful to the Service Provider (SP).
- Metadata – In this context, a document which describes various technical aspects of an Identity Provider (IdP) or Service Provider (SP). Essentially, instructions which tell the IdP and the SP how to communicate with each other.
Identity Management Concepts
Authentication vs. Authorization
- Authentication – Authentication determines whether the user is who they claim to be.
- Authorization – Authorization determines whether an authenticated user is allowed to access a specific resource or take a specific action.
Accounts, Identifiers, and Identities
- Account – An account is the representation of a user within a particular system.
- Identifier – An identifier is how a user is labeled. In a system that uses UT EID-based single sign-on, the user account will be accessed using the UT EID as an identifier.
- Identity – An identity is the collection of accounts and identifiers associated with a particular person (or sometimes a non-person entity). An identity can be associated with multiple accounts and identifiers. For example, you may have multiple email accounts but all of those accounts belong to one identity (you).
Provisioning and De-provisioning
The process of how user accounts are created when they are needed and how they are deleted, archived, or made inactive when no longer needed.
Identity Life Cycle
Like the real-world entities they represent, identities have a life cycle. Their connection to the University will change over time and the accounts and authorizations they have will also change accordingly. The identity itself does not go away.
When a user leaves the University (e.g. graduation, separation) their identity persists and they will continue to be able to authenticate using their UT EID. This allows individuals to later come back and apply for jobs, request transcripts, etc. Systems must take into account the current status of a user in their authorization schemes and change account authorizations when that status changes.
For example, if a student or employee leaves the university, the wireless network will note the change in affiliationAffiliation An affiliation is an attribute which designates, at a high level, how an individual is related to the university. For example, and individual may be a current student, a future faculty member, a former employee, or all three. and remove authorizations for wireless access.
