About Centralized AuthenticationAuthentication Authentication is the act of determining that a person is who they claim to be. For more information, see our Concepts page. Services
Centralized authentication services are provided by Information Technology Services (ITSITS Information Technology Services (ITS)) for use by campus departments and their duly sponsored third-party service providers. Centralized authentication services allow service providers to participate in single sign-on authentication based on the University of Texas Electronic Identity (UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information.).
Centralized authentication services currently consist of the following offerings:
- Enterprise Authentication
- Guest Authentication
- Multi-Factor Authentication
- uTexas Enterprise Directory (TEDTED The uTexas Enterprise Directory (TED) is the University’s enterprise directory. See uTexas Enterprise Directory (TED) in the service catalog for more information.)
Authentication protocols
Enterprise Authentication provides a Security Assertion Markup Language (SAMLSAML Security Assertion Markup Language (SAML) is a standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers. This standard is currently used by Enterprise Authentication (as well as hundreds of service providers that integrate with our identity provider).) v2.0-compliant Identity Provider (IdPIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. The IdP manages the user's primary authentication credentials and issues assertions derived from those credentials. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team. For more information, see our Concepts page.) which authenticates UT EID holders on behalf of Service Providers (SPsSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP. For more information, see our Concepts page.) and provides trusted SPs with attributes about those identities for the purposes of federating authorizationAuthorization Authorization refers to the act of determining whether an authenticated user is allowed to access a specific resource or take a specific action. For more information, see our Concepts page. and access management.
Guest Authentication is a centralized authentication service suitable for use with low-risk web-based services and applications to allow access without requiring a UT EID. This service allows guests to access protected resources using their Apple ID, Google Account, Microsoft Account, or an account from an identity provider in the InCommon Federation.
Multi-factor authentication is provided by the third-party provider Duo Security. This authentication is integrated with Enterprise Authentication. Multi-factor authentication is also integrated with a number of other services on campus such as the University’s Virtual Private Network (VPN).
The uTexas Enterprise Directory (TED) provides a Lightweight Directory Access Protocol (LDAPLDAP Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories based on the standards contained within the X.500 standard, but is significantly simpler.) v3 interface which provides trusted TED Service Accounts with the ability to authenticate UT EID holders and obtain attributes about those identities for the purposes of federating authorization and access management.
Sources of identity data
All centralized authentication services rely upon centralized directories which are not, themselves, the systems of record for any identity attributes. Under exceptional circumstances these systems may not reflect the most current, official status of a student or employee.
System Use and Responsibilities
Exclusive, non-transferable use
You agree that non-public information (i.e., information not available through public sources such as the white pages directory) that your service accesses through centralized authentication services will be used only to control access to your application and/or for the specific purposes described in your request for access.
Protection of identity data
You also agree that restricted data obtained via your service and/or it’s credentials will not be presented to users by your application, nor will you divulge it to others, unless specified in your request for access.
If your system displays data to users that has been restricted from release by the subject of the data, the system must indicate to the user that the data is release-restricted.
Other applicable policies and statutes
You agree to use this service in a manner consistent with this policy and with other university rules governing acceptable use of information technology, including confidential data.
You also agree to comply with all applicable state and federal laws. The Family Educational Rights and Privacy Act of 1974 (FERPAFERPA The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law which pertains to the release of and access to educational records.) restricts access to student records. These legal restrictions apply to all users of centralized authentication services.
Confidentiality of records
All account holders are responsible for maintaining the confidentiality of records made available through centralized authentication services.
Best Practices
Where applicable, all customers of centralized authentication services are expected to make use of best practices.
Liability
All sponsoring departments are responsible for the actions taken by their sponsored third-party service providers on their behalf.
Failure to comply
Failure to comply with this policy may result in the immediate discontinuation of service or disciplinary actions without notice. Failure to comply with applicable laws could result in civil actions or criminal charges.
Security Requirements
Exclusive, non-transferable use
A sponsoring department with access to centralized authentication services must not provide that access to other applications or for purposes other than those included in the original request for access.
Logging and monitoring
All centralized authentication services are subject to logging and security monitoring.
Access controls
Any attempts to circumvent centralized authentication services access rules, policies, and mechanisms is strictly prohibited.
Servers, applications, and other resources with access to centralized authentication services must be protected from unauthorized physical and electronic access.
Excessive usage
The use of centralized authentication services must be responsible, efficient, and non-disruptive.
In the event of excessive consumption of centralized authentication services, administrators will work with specified contacts to address the cause(s). If the cause(s) cannot be resolved, administrators reserve the right to suspend access privileges without notice.
Use of encryption
The sponsoring department agrees that user passwords, service shared secrets, and other non-public information will be transmitted only via approved encryption methods. This includes communications between the departmental application and centralized authentication services, and also any communications involved in making use of the data retrieved from centralized authentication services.
Reporting security incidents
Departments and their sponsored third-party service providers agree that they will immediately report any breach of security to the Information Security Office (ISOISO The Information Security Office (ISO) is the University’s information security team.) and the centralized authentication services administrators.
Policy Acknowledgement Renewal
Acknowledgement of this policy must be renewed on an annual basis. Renewal is required in order to maintain access to centralized authentication services.
Further Information
For more information about centralized authentication services, please visit the Identity and Access Management Services page.
For more information about UT Austin’s information technology policies, please visit https://it.utexas.edu/policies.
For more information about the Information Security Office’s policies, standards, and guidelines, please visit https://security.utexas.edu/policies.
Change Log
- November 4, 2020 – Updated links, removed references to UTLogin.
- January 10, 2022 – Removed references to UT Shibboleth and consolidation of authentication services.
