This page provides additional detail regarding IAM concepts. If you are merely searching for a definition, try our Terminology page.
Attribute
An attribute is a quality or characteristic ascribed to someone or something.
In IAM, an identity will typically have many different attributes including (but not limited to) names, contact information, relationship to the organization, department, etc. Perhaps the most important set of attributes are the identifiers which we explore in further detail later in this document.
For an accounting of attributes available in the uTexas Enterprise Directory (TEDTED The uTexas Enterprise Directory (TED) is the university’s enterprise directory. See uTexas Enterprise Directory (TED) in the service catalog for more information.), see our TED Directory Attributes page.
AuthenticationAuthentication Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to a system’s resources.
Authentication is the act of determining that a person is who they claim to be.
Not to be confused with authorizationAuthorization Access privileges granted to a user, program, or process or the act of granting those privileges., authentication only determines the identity of an end user. Authentication makes no decisions whether an end user should have access to a resource. The identity providerIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. The Identity Provider (IdP) manages the user's primary authentication credentials and issues assertions derived from those credentials. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team. may, however, provide the service provider with information which allows the service provider to make an authorization decision.
Authorization
Authorization refers to the act of determining whether an authenticated user is allowed to access a specific resource or take a specific action.
Common authorizations schema include Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC).
With ABAC, a system’s authorization rules are based on one or more attribute values. For example, at UT Austin, you may want to link access to current students. The system may obtain the utexasEduPersonAffiliation attribute for the user and look for the student-current value. It would then grant or deny access based on that value.
Identifiers
An identifier is a special type of attribute consisting of a (generally) unique label for an identity.
An identity will typically have several identifiers, used in various situations and contexts. For example, your identity may have one or more of: a Social Security Number (SSN), a Texas Driver’s License (TXDL) number, and a U.S. Passport number. With many cloud-based services, your email address is used as an identifier.
Identifiers may be compound, composed of several values. For example, if you have an identifier which identifies you in comparison to individuals at other universities, it might combine your UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See EID in the service catalog for more information. with your institution information. For instance, the eduPersonPrincipalName (ePPNePPN The eduPersonPrincipalName (ePPN) (format: <eid>@utexas.edu) is an attribute which is part of the eduPerson LDAP schema.) takes the format <eid>@utexas.edu.
Some identifiers which you may see at The University of Texas at Austin:
| Name | Format | Description |
|---|---|---|
| UT Electronic Identifier (UT EID) | 2-8 characters, alphanumeric as well as hyphen (-), underscore (_), and period (.) | The official public records identifier for the University. |
| eduPersonPrincipalNameePPN The eduPersonPrincipalName (ePPN) (format: <eid>@utexas.edu) is an attribute which is part of the eduPerson LDAP schema. (ePPN) | <eid>@utexas.edu | Part of the eduPerson LDAPLDAP Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories based on the standards contained within the X.500 standard, but is significantly simpler. schema. |
| Institutional IdentifierIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement. (IIDIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement.) | <eid>@eid.utexas.edu | Designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlementEntitlement An attribute which defines what an account is allowed or authorized to do. An EID holder may have many entitlements, each with a start and end date (end dates may be in perpetuity).. |
These are but a small sampling of the identifiers out there. If you are working on an Integration to add UT EID-based authentication to your application, you will probably use one of the above.
Identity
An identity is the collection of accounts and identifiers associated with a particular person (or sometimes a non-person entity). An identity can be associated with multiple accounts and identifiers. For example, you may have multiple email accounts but all of those accounts belong to one identity (you).
Identity Life Cycle
Like the real-world entities they represent, identities have a life cycle. Their connection to the University will change over time and the accounts and authorizations they have will also change accordingly. The identity itself does not go away.
When a user leaves the University (e.g. graduation, separation) their identity persists and they will continue to be able to authenticate using their UT EID. This allows individuals to later come back and apply for jobs, request transcripts, etc. Systems must take into account the current status of a user in their authorization schemes and change account authorizations when that status changes.
For example, if a student or employee leaves the university, the wireless network will note the change in affiliationAffiliation An affiliation is an attribute which reflects, at a high level, how an individual is related to the university. At any point in time, an individual may have no defined relationship, one defined relationship, or many defined relationships with the university. For example, and individual may be a current student, a future faculty member, a former employee, or all three. and remove authorizations for wireless access.
This concept is also referred to as Life Cycle Management (LCM).
Provisioning and De-provisioning
The process of how user accounts are created when they are needed and how they are deleted, archived, or made inactive when no longer needed. This is a critical component of the identity life cycle.
Identity Provider (IdPIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. The Identity Provider (IdP) manages the user's primary authentication credentials and issues assertions derived from those credentials. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team.)
In an authentication relationship, the Identity Provider (IdP) provides the identity and the Service Provider (SPSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP.) provides the service.
In the UT Austin context, the IAM Team’s Enterprise Authentication service acts as the IdP. It handles authentication for the service and provides the service with identity data for an authenticated user.
Metadata
Metadata is a set of data that describes and gives information about other data.
In the context of authentication integrations at UT Austin, metadata describes various technical aspects of an Identity Provider (IdP) or Service Provider (SP). Essentially, the metadata contains instructions for how the IdP and SP should communicate with each other.
Multi-Factor AuthenticationMFA Authentication makes use of one or more factors of authentication: something you know (e.g., a password), something you have (e.g., your smartphone), or something you are (e.g., a fingerprint). Multi-Factor Authentication (MFA) makes use of two or more factors when authenticating you. (MFAMFA Authentication makes use of one or more factors of authentication: something you know (e.g., a password), something you have (e.g., your smartphone), or something you are (e.g., a fingerprint). Multi-Factor Authentication (MFA) makes use of two or more factors when authenticating you.)
There are three generally-recognized factors of authentication:
- Something you know e.g., a password or Personal Identification Number (PIN)
- Something you have e.g., your phone, a YubiKey
- Something you are e.g., your fingerprint
The idea behind multi-factor authentication is to use more than one of these factors for authentication. While it’s possible that a bad actor may obtain access to one factor, it is far less likely that they will obtain access to multiple factors.
At UT Austin, you use your UT EID (something you know) and your Cisco Duo account (something you have, such as your smartphone, cell phone, or YubiKey).
In some cases, this will be referred to as 2FAMFA Authentication makes use of one or more factors of authentication: something you know (e.g., a password), something you have (e.g., your smartphone), or something you are (e.g., a fingerprint). Multi-Factor Authentication (MFA) makes use of two or more factors when authenticating you. or Two-Factor Authentication. It has the same meaning, though 2FA explicitly refers to the use of two factors of authentication whereas MFA refers to more than one.
Service Provider (SP)
In an authentication relationship, the Identity Provider (IdP) provides the identity and the Service Provider (SP) provides the service.
In the UT Austin context there are hundreds of SPs. Examples include (but are not limited to) Canvas, UT Direct, and Workday. These all provide a service where Enterprise Authentication provides the identity (authentication and data).
