This page provides additional detail regarding IAMIAM Identity and Access Management (IAM) is a set of policies, processes, and technologies designed to ensure that the right individuals (identities) have the right access to resources within an organization. IAM involves managing and securing digital identities, controlling access to systems and data, and maintaining the confidentiality, integrity, and availability of information. concepts. If you are merely searching for a definition, try our Terminology page.
Attribute
An attribute is a quality or characteristic ascribed to someone or something.
In IAM, an identity will typically have many different attributes including (but not limited to) names, contact information, relationship to the organization, department, etc. Perhaps the most important set of attributes are the identifiers which we explore in further detail later in this document.
For an accounting of attributes available in the uTexas Enterprise Directory (TEDTED The uTexas Enterprise Directory (TED) is the University’s enterprise directory. See uTexas Enterprise Directory (TED) in the service catalog for more information.), see our TED Directory Attributes page.
For information about selecting the right attributes for your system, see Choosing the Right Attributes .
AuthenticationAuthentication Authentication is the act of determining that a person is who they claim to be. For more information, see our Concepts page.
Authentication is the act of determining that a person is who they claim to be.
Not to be confused with authorizationAuthorization Authorization refers to the act of determining whether an authenticated user is allowed to access a specific resource or take a specific action. For more information, see our Concepts page., authentication only determines the identity of an end user. Authentication makes no decisions whether an end user should have access to a resource. The identity provider may, however, provide the service provider with information which allows the service provider to make an authorization decision.
Authorization
Authorization refers to the act of determining whether an authenticated user is allowed to access a specific resource or take a specific action.
Common authorizations schema include Attribute-Based Access Control (ABACABAC Attribute-Based Access Control (ABAC) is a mechanism for managing of user access to information systems based on values of user attributes. Attribute-Based Access Control (ABAC) evaluates the access dynamically, using an algorithm that takes “attributes” as an input, and outputs access decision (allow/deny). The attributes are usually user attributes from the user profile, supplemented with context attributes, such as time of access and user’s current location.) and Role-Based Access Control (RBAC).
With ABAC, a system’s authorization rules are based on one or more attribute values. For example, at UT Austin, you may want to link access to current students. The system may obtain the utexasEduPersonAffiliation attribute for the user and look for the student-current value. It would then grant or deny access based on that value.
Identifiers
An identifier is a special type of attribute consisting of a (generally) unique label for an identity.
An identity will typically have several identifiers, used in various situations and contexts. For example, your identity may have one or more of: a Social Security Number (SSN), a Texas Driver’s License (TXDL) number, and a U.S. Passport number. With many cloud-based services, your email address is used as an identifier.
Identifiers may be compound, composed of several values. For example, if you have an identifier which identifies you in comparison to individuals at other universities, it might combine your UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information. with your institution information. For instance, the eduPersonPrincipalName (ePPNePPN The eduPersonPrincipalName (ePPN) (format: <eid>@utexas.edu) is an attribute which is part of the eduPerson LDAP schema.) takes the format <eid>@utexas.edu.
Some identifiers which you may see at The University of Texas at Austin:
| Name | Format | Description |
|---|---|---|
| UT Electronic Identifier (UT EID) | 2-8 characters, alphanumeric as well as hyphen (-), underscore (_), and period (.) | The official public records identifier for the University. |
| eduPersonPrincipalName (ePPN) | <eid>@utexas.edu | Part of the eduPerson LDAPLDAP Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories based on the standards contained within the X.500 standard, but is significantly simpler. schema. |
| Institutional Identifier (IIDIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement.) | <eid>@eid.utexas.edu | Designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlementEntitlement An entitlement is an attribute which defines what an account is allowed or authorized to do. An EID holder may have many entitlements, each with a start and end date (end dates may be in perpetuity).. |
These are but a small sampling of the identifiers out there. If you are working on adding UT EID-based authentication to your application, you will probably use one of the above. See Choosing the Right Attributes for more information.
Identity
An identity is the collection of accounts and identifiers associated with a particular person (or sometimes a non-person entity). An identity can be associated with multiple accounts and identifiers. For example, you may have multiple email accounts but all of those accounts belong to one identity (you).
Identity Life Cycle
Like the real-world entities they represent, identities have a life cycle. Their connection to the University will change over time and the accounts and authorizations they have will also change accordingly. The identity itself does not go away.
When a user leaves the University (e.g. graduation, separation) their identity persists and they will continue to be able to authenticate using their UT EID. This allows individuals to later come back and apply for jobs, request transcripts, etc. Systems must take into account the current status of a user in their authorization schemes and change account authorizations when that status changes.
For example, if a student or employee leaves the University, the wireless network will note the change in affiliationAffiliation An affiliation is an attribute which reflects, at a high level, how an individual is related to the university. At any point in time, an individual may have no defined relationship, one defined relationship, or many defined relationships with the university. For example, and individual may be a current student, a future faculty member, a former employee, or all three. and remove authorizations for wireless access.
This concept is also referred to as Life Cycle Management (LCM).
Provisioning and De-provisioning
The process of how user accounts are created when they are needed and how they are deleted, archived, or made inactive when no longer needed. This is a critical component of the identity life cycle.
Identity Provider (IdPIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. The IdP manages the user's primary authentication credentials and issues assertions derived from those credentials. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team. For more information, see our Concepts page.)
In an authentication relationship, the Identity Provider (IdP) provides the identity and the Service Provider (SPSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP. For more information, see our Concepts page.) provides the service.
In the UT Austin context, the IAM Team’s Enterprise Authentication service acts as the IdP. It handles authentication for the service and provides the service with identity data for an authenticated user.
Metadata
Metadata is a set of data that describes and gives information about other data.
In the context of authentication integrations at UT Austin, metadata describes various technical aspects of an Identity Provider (IdP) or Service Provider (SP). Essentially, the metadata contains instructions for how the IdP and SP should communicate with each other.
Multi-Factor Authentication (MFAMFA Authentication makes use of one or more factors of authentication: something you know (e.g., a password), something you have (e.g., your smartphone), or something you are (e.g., a fingerprint). Multi-Factor Authentication (MFA) makes use of two or more factors when authenticating you. For more information, see our Concepts page.)
There are three generally-recognized factors of authentication:
- Knowledge: Something you know e.g., a password or Personal Identification Number (PIN)
- Possession: Something you have e.g., your phone or a YubiKey
- InherenceInherence The state of being inherent or permanently present in something; indwelling.: Something you are e.g., your fingerprint
Some systems also consider location factors and behavior factors.
The idea behind multi-factor authentication is to use more than one of these factors for authentication. While it’s possible that a bad actor may obtain access to one factor, it is far less likely that they will obtain access to multiple factors.
At UT Austin, you use your UT EID (something you know) and your Cisco Duo account (something you have, such as your smartphone, cell phone, or YubiKey).
In some cases, this will be referred to as 2FAMFA Authentication makes use of one or more factors of authentication: something you know (e.g., a password), something you have (e.g., your smartphone), or something you are (e.g., a fingerprint). Multi-Factor Authentication (MFA) makes use of two or more factors when authenticating you. For more information, see our Concepts page. or Two-Factor Authentication. It has the same meaning, though 2FA explicitly refers to the use of two factors of authentication whereas MFA refers to more than one.
Notably, this is distinct from scenarios where you provide multiple instances of a single factor of authentication. For example, if you provide both a password and a PIN those are both knowledge factors and, therefore, you would be performing multiple steps for a single factor of authentication.
Names
Names can be a complex topic. In theory, the IAM Team strives to place as few restrictions on names as possible. A good resource for understanding why that is our goal is Falsehoods Programmers Believe About Names by Patrick McKenzie.
However, several downstream and upstream systems don’t implement the guidelines set forth in that article. In some cases, this is due to oversight or a lack of experience. In other cases, it is due to actual limitations in the system (e.g., University applications running on the Mainframe).
If you are planning on integrating your application with UT Austin identity services, please ensure that your application makes as few assumptions as possible regarding names. When and where possible, we recommend that you make use of the displayName as this single-valued attribute will most closely match the individual’s chosen name and spelling given systemic limitations.
Service Provider (SP)
In an authentication relationship, the Identity Provider (IdP) provides the identity and the Service Provider (SP) provides the service.
In the UT Austin context there are hundreds of SPsSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP. For more information, see our Concepts page.. Examples include (but are not limited to) Canvas, UT Direct, and Workday. These all provide a service where Enterprise Authentication provides the identity (authentication and data).
UT EID
The University of Texas Electronic Identifier (UT EID) is the primary identifier at The University of Texas at Austin. It is most visible to customers as the username used for campus-wide Single Sign On (SSOSSO Single Sign-On (SSO) is a service which allows a user to use one set of credentials to access multiple applications.). Several other prominent identifiers are based on the UT EID.
While the UT EID has been in existence since 1995, it gained prominence in the mid-2000s as a replacement for the Social Security Number (SSN) which, at the time, was a commonly-used identifier at universities across the country. University alumni going back several decades were retroactively assigned a UT EID in order to assist with identifying student records. The UT EID was also used at a number of UT System component institutions though their use has declined.
It is important to note that while UT EIDsUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information. generally do not change, there are exceptions to that rule. As with all identifiers, your systems should not assume that the UT EID is immutable. Identifiers can change .
Even more detailed information regarding the UT EID can be found on The University of Texas Electronic Identifier .
