This page provides additional detail regarding IAM concepts. If you are merely searching for a definition, try our Terminology page.
Attribute
An attribute is a quality or characteristic ascribed to someone or something.
In IAM, an identity will typically have many different attributes including (but not limited to) names, contact information, relationship to the organization, department, etc. Perhaps the most important set of attributes are the identifiers which we explore in further detail later in this document.
For an accounting of attributes available in the uTexas Enterprise Directory (TED), see our TED Directory Attributes page.
For information about selecting the right attributes for your system, see Choosing the Right Attributes .
Authentication
Authentication is the act of determining that a person is who they claim to be.
Not to be confused with authorization, authentication only determines the identity of an end user. Authentication makes no decisions whether an end user should have access to a resource. The identity provider may, however, provide the service provider with information which allows the service provider to make an authorization decision.
Authorization
Authorization refers to the act of determining whether an authenticated user is allowed to access a specific resource or take a specific action.
Common authorizations schema include Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC).
With ABAC, a system’s authorization rules are based on one or more attribute values. For example, at UT Austin, you may want to link access to current students. The system may obtain the utexasEduPersonAffiliation attribute for the user and look for the student-current
value. It would then grant or deny access based on that value.
Identifiers
An identifier is a special type of attribute consisting of a (generally) unique label for an identity.
An identity will typically have several identifiers, used in various situations and contexts. For example, your identity may have one or more of: a Social Security Number (SSN), a Texas Driver’s License (TXDL) number, and a U.S. Passport number. With many cloud-based services, your email address is used as an identifier.
Identifiers may be compound, composed of several values. For example, if you have an identifier which identifies you in comparison to individuals at other universities, it might combine your UT EID with your institution information. For instance, the eduPersonPrincipalName
(ePPN) takes the format <eid>@utexas.edu
.
Some identifiers which you may see at The University of Texas at Austin:
Name | Format | Description |
---|---|---|
UT Electronic Identifier (UT EID) | 2-8 characters, alphanumeric as well as hyphen (- ), underscore (_ ), and period (. ) | The official public records identifier for the University. |
eduPersonPrincipalName (ePPN) | <eid>@utexas.edu | Part of the eduPerson LDAP schema. |
Institutional Identifier (IID) | <eid>@eid.utexas.edu | Designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement. |
These are but a small sampling of the identifiers out there. If you are working on adding UT EID-based authentication to your application, you will probably use one of the above. See Choosing the Right Attributes for more information.
Identity
An identity is the collection of accounts and identifiers associated with a particular person (or sometimes a non-person entity). An identity can be associated with multiple accounts and identifiers. For example, you may have multiple email accounts but all of those accounts belong to one identity (you).
Identity Life Cycle
Like the real-world entities they represent, identities have a life cycle. Their connection to the University will change over time and the accounts and authorizations they have will also change accordingly. The identity itself does not go away.
When a user leaves the University (e.g. graduation, separation) their identity persists and they will continue to be able to authenticate using their UT EID. This allows individuals to later come back and apply for jobs, request transcripts, etc. Systems must take into account the current status of a user in their authorization schemes and change account authorizations when that status changes.
For example, if a student or employee leaves the University, the wireless network will note the change in affiliation and remove authorizations for wireless access.
This concept is also referred to as Life Cycle Management (LCM).
Provisioning and De-provisioning
The process of how user accounts are created when they are needed and how they are deleted, archived, or made inactive when no longer needed. This is a critical component of the identity life cycle.
Identity Provider (IdP)
In an authentication relationship, the Identity Provider (IdP) provides the identity and the Service Provider (SP) provides the service.
In the UT Austin context, the IAM Team’s Enterprise Authentication service acts as the IdP. It handles authentication for the service and provides the service with identity data for an authenticated user.
Metadata
Metadata is a set of data that describes and gives information about other data.
In the context of authentication integrations at UT Austin, metadata describes various technical aspects of an Identity Provider (IdP) or Service Provider (SP). Essentially, the metadata contains instructions for how the IdP and SP should communicate with each other.
Multi-Factor Authentication (MFA)
There are three generally-recognized factors of authentication:
- Knowledge: Something you know e.g., a password or Personal Identification Number (PIN)
- Possession: Something you have e.g., your phone or a YubiKey
- Inherence: Something you are e.g., your fingerprint
Some systems also consider location factors and behavior factors.
The idea behind multi-factor authentication is to use more than one of these factors for authentication. While it’s possible that a bad actor may obtain access to one factor, it is far less likely that they will obtain access to multiple factors.
At UT Austin, you use your UT EID (something you know) and your Cisco Duo account (something you have, such as your smartphone, cell phone, or YubiKey).
In some cases, this will be referred to as 2FA or Two-Factor Authentication. It has the same meaning, though 2FA explicitly refers to the use of two factors of authentication whereas MFA refers to more than one.
Notably, this is distinct from scenarios where you provide multiple instances of a single factor of authentication. For example, if you provide both a password and a PIN those are both knowledge factors and, therefore, you would be performing multiple steps for a single factor of authentication.
Names
Names can be a complex topic. In theory, the IAM Team strives to place as few restrictions on names as possible. A good resource for understanding why that is our goal is Falsehoods Programmers Believe About Names by Patrick McKenzie.
However, several downstream and upstream systems don’t implement the guidelines set forth in that article. In some cases, this is due to oversight or a lack of experience. In other cases, it is due to actual limitations in the system (e.g., University applications running on the Mainframe).
If you are planning on integrating your application with UT Austin identity services, please ensure that your application makes as few assumptions as possible regarding names. When and where possible, we recommend that you make use of the displayName
as this single-valued attribute will most closely match the individual’s chosen name and spelling given systemic limitations.
Service Provider (SP)
In an authentication relationship, the Identity Provider (IdP) provides the identity and the Service Provider (SP) provides the service.
In the UT Austin context there are hundreds of SPs. Examples include (but are not limited to) Canvas, UT Direct, and Workday. These all provide a service where Enterprise Authentication provides the identity (authentication and data).
UT EID
The University of Texas Electronic Identifier (UT EID) is the primary identifier at The University of Texas at Austin. It is most visible to customers as the username used for campus-wide Single Sign On (SSO). Several other prominent identifiers are based on the UT EID.
While the UT EID has been in existence since 1995, it gained prominence in the mid-2000s as a replacement for the Social Security Number (SSN) which, at the time, was a commonly-used identifier at universities across the country. University alumni going back several decades were retroactively assigned a UT EID in order to assist with identifying student records. The UT EID was also used at a number of UT System component institutions though their use has declined.
It is important to note that while UT EIDs generally do not change, there are exceptions to that rule. As with all identifiers, your systems should not assume that the UT EID is immutable. Identifiers can change .
Even more detailed information regarding the UT EID can be found on The University of Texas Electronic Identifier .