About Centralized Authentication Services
Centralized authentication services are provided by Information Technology Services (ITS) for use by campus departments and their duly sponsored third-party service providers. Centralized authentication services allow service providers to participate in single sign-on authentication based on the University of Texas Electronic Identity (UT EID).
Centralized authentication services currently consists of the following offerings:
- Enterprise Authentication
- Multi-Factor Authentication
- UT Shibboleth
- uTexas Enterprise Directory (TED)
Consolidating authentication services
The University is working towards consolidating all centralized authentication services into the Enterprise Authentication service offering. Customers of UT Shibboleth and UTLogin will be required to transition to Enterprise Authentication as directed by their transition manager.
Enterprise Authentication, UT Shibboleth, and UTLogin each provide a Security Assertion Markup Language (SAML) v2.0-compliant Identity Provider (IdP) which authenticates UT EID holders on behalf of Service Providers (SPs) and provides trusted SPs with attributes about those identities for the purposes of federating authorization and access management.
Multi-factor authentication is provided by the third-party provider Duo Security. This authentication is integrated with Enterprise Authentication, UT Shibboleth, and UTLogin. Multi-factor authentication is also integrated with a number of other services on campus such as the University’s Virtual Private Network (VPN).
UTLogin additionally provides a client-side policy agent which allows for the centralized maintenance of access rules to web-based and stand-alone resources.
The uTexas Enterprise Directory (TED) provides a Lightweight Directory Access Protocol (LDAP) v3 interface which provides trusted TED Service Accounts with the ability to authenticate UT EID holders and obtain attributes about those identities for the purposes of federating authorization and access management.
Sources of identity data
All centralized authentication services rely upon centralized directories which are not, themselves, the systems of record for any identity attributes. Under exceptional circumstances these systems may not reflect the most current, official status of a student or employee.
System Use and Responsibilities
Exclusive, non-transferable use
You agree that non-public information (i.e., information not available through public sources such as the white pages directory) that your service accesses through centralized authentication services will be used only to control access to your application and/or for the specific purposes described in your request for access.
Protection of identity data
You also agree that restricted data obtained via your service and/or it’s credentials will not be presented to users by your application, nor will you divulge it to others, unless specified in your request for access.
If your system displays data to users that has been restricted from release by the subject of the data, the system must indicate to the user that the data is release-restricted.
Other applicable policies and statutes
You agree to use this service in a manner consistent with this policy and with other university rules governing acceptable use of information technology, including confidential data.
You also agree to comply with all applicable state and federal laws. The Family Educational Rights and Privacy Act of 1974 (FERPA) restricts access to student records. These legal restrictions apply to all users of centralized authentication services.
Confidentiality of records
All account holders are responsible for maintaining the confidentiality of records made available through centralized authentication services.
Where applicable, all customers of centralized authentication services are expected to make use of best practices.
All sponsoring departments are responsible for the actions taken by their sponsored third-party service providers on their behalf.
Failure to comply
Failure to comply with this policy may result in the immediate discontinuation of service or disciplinary actions without notice. Failure to comply with applicable laws could result in civil actions or criminal charges.
Exclusive, non-transferable use
A sponsoring department with access to centralized authentication services must not provide that access to other applications or for purposes other than those included in the original request for access.
Logging and monitoring
All centralized authentication services are subject to logging and security monitoring.
Any attempts to circumvent centralized authentication services access rules, policies, and mechanisms is strictly prohibited.
Servers, applications, and other resources with access to centralized authentication services must be protected from unauthorized physical and electronic access.
The use of centralized authentication services must be responsible, efficient, and non-disruptive. In the event of excessive consumption of centralized authentication services, administrators will work with specified contacts to address the cause(s). If the cause(s) cannot be resolved, administrators reserve the right to suspend access privileges without notice.
Use of encryption
The sponsoring department agrees that user passwords, service shared secrets, and other non-public information will be transmitted only via approved encryption methods. This includes communications between the departmental application and centralized authentication services, and also any communications involved in making use of the data retrieved from centralized authentication services.
Reporting security incidents
Departments and their sponsored third-party service providers agree that they will immediately report any breach of security to the Information Security Office (ISO) and the centralized authentication services administrators.
Policy Acknowledgement Renewal
Acknowledgement of this policy must be renewed on an annual basis. Renewal is required in order to maintain access to centralized authentication services.
For more information about centralized authentication services, please visit the Identity and Access Management Services page.
For more information about UT Austin’s information technology policies, please visit https://it.utexas.edu/policies.
For more information about the Information Security Office’s policies, standards, and guidelines, please visit https://security.utexas.edu/policies.