Overview of UT Austin
The University of Texas at Austin (UT Austin) is a large, complex institution with approximately 53k students, 4k faculty, and 15k staff12. CSUsCSU College, School, or Unit are largely decentralized and independent. Centralized IT services are available through Enterprise Technology, but many CSUs have their own budgets and will make their own spending decisions.
As an external vendor, this means that you may interact with many different specialized teams at the University. Among those is the University’s IAMIAM Identity and Access Management (IAM) is a set of policies, processes, and technologies designed to ensure that the right individuals (identities) have the right access to resources within an organization. IAM involves managing and securing digital identities, controlling access to systems and data, and maintaining the confidentiality, integrity, and availability of information. Team, sometimes anachronistically referred to as the “EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information. Team.” The IAM Team is part of Enterprise Technology, the central IT organization.
Think of the IAM Team as an implementation partner.
On Nomenclature
Since we’re the experts on identity here, it falls upon us to advise you to take care to refer to our University as “The University of Texas at Austin,” “UT Austin,” or “UT.”
It is considered a faux pas to refer to us as any of the following: “The University of Texas,” “UTA,”, “U of T,” or “TU.” You may not get called out for using these terms but you will demonstrating a lack of knowledge, understanding, or caring about your customer. “UTA,” in particular, refers to The University of Texas at Arlington.
Identity at The University
The IAM Team is responsible for several technical areas including identity management, authenticationAuthentication Authentication is the act of determining that a person is who they claim to be. For more information, see our Concepts page., and directory services. If you are not familiar with IAM concepts, please review our Concepts page.
The primary public records identifier at the University is the UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information.. The UT EID is used across campus to link administrative records to individuals, as well as for web-based SSOSSO Single Sign-On (SSO) is a service which allows a user to use one set of credentials to access multiple applications..
Identity Management
The IAM Team manages identities using a combination of a custom, purpose-built systems and third party vendor software. The identity management layer of services receives data from various authoritative Systems of Record (SORs) and coalesce the data into coherent identity records.
For example, a student employee will have very different sets of data between the student registrar and human resources, but the IAM Team compiles it all into into a single record for a single individual.
Directory Services
The University has several centralized directory services including Austin Active Directory (Austin ADAD Active Directory (AD) is a directory service from Microsoft which implements Internet standard directory and naming protocols. See Austin Active Directory (Austin AD) in the service catalog for the University’s local implementation.) and the uTexas Enterprise Directory (TEDTED The uTexas Enterprise Directory (TED) is the University’s enterprise directory. See uTexas Enterprise Directory (TED) in the service catalog for more information.), an LDAPv3LDAP Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories based on the standards contained within the X.500 standard, but is significantly simpler.-based directory service. The IAM Team is responsible for maintaining the identity data in these directory services, ensuring that it is up-to-date and accurate. The IAM Team also administers TED (but not Austin AD).
Authentication Services
The IAM Team also manages the IdPIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. The IdP manages the user's primary authentication credentials and issues assertions derived from those credentials. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team. For more information, see our Concepts page. for authentication services using Enterprise Authentication, an implementation of the Shibboleth IdP which supports SAMLSAML Security Assertion Markup Language (SAML) is a standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers. This standard is currently used by Enterprise Authentication (as well as hundreds of service providers that integrate with our identity provider). and OIDCOIDC OpenID Connect 1.0 (OIDC) is an authentication layer built on OAuth 2.0 where the identity provider that runs the authorization server also holds the protected resource that the third-party application aims to access.. In this way, the IAM Team handles the complexities of authentication and identity data and your system never needs to handle a password, greatly reducing everyone’s risk.
Technical Information
Authentication
If your application or service will make use of Single Sign-On (SSO) with UT Austin’s primary identifier, the UT EID, it will need to meet our Vendor Requirements.
Additionally, the metadata for your SAML Service Provider (SPSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP. For more information, see our Concepts page.) will need to meet the Metadata Requirements.
Finally, the configuration information you’ll need can be found on our Authentication Integration Technical Details page.
Identifiers
UT EIDsUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information. are between 2 and 8 characters and may contain letters, numbers, and the following special characters: underscore (_), period (.), and hyphen (-). They can be represented by the PCRE regular expression /[\w.-]{2,8}/ and are case-insensitive.
Person EIDs (that is, UT EIDs which represent a person) will always begin with an alphabet character. They can be represented by the PCRE regular expression /[A-Za-z][\w.-]{1,7}.
The UT EID can be presented in several different formats:
| Name | Format |
|---|---|
| UT EID | <eid> |
| eduPersonPrincipalName (ePPNePPN The eduPersonPrincipalName (ePPN) (format: <eid>@utexas.edu) is an attribute which is part of the eduPerson LDAP schema.) | <eid>@utexas.edu |
| Institutional Identifier (IIDIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement.) | <eid>@eid.utexas.edu |
| sAMAccountName | <eid> |
The Institutional Identifier (IID) is designed for use with cloud-based services whose usernames are email addresses. When used as an email address, the IID will forward to the user’s email address on record. Of note, we align with the segment of the industry which maintains that the email address is not an appropriate user identifier3456.
AuthorizationAuthorization Authorization refers to the act of determining whether an authenticated user is allowed to access a specific resource or take a specific action. For more information, see our Concepts page.
Importantly, while we provide many services, it is the role of the SP or RPRP A Relying Party (RP) is an application or website that outsources its user authentication function to an IdP. (i.e., you, the vendor) to configure authorization rules for your application.
The most-common authorization implementation at the University is ABACABAC Attribute-Based Access Control (ABAC) is a mechanism for managing of user access to information systems based on values of user attributes. Attribute-Based Access Control (ABAC) evaluates the access dynamically, using an algorithm that takes “attributes” as an input, and outputs access decision (allow/deny). The attributes are usually user attributes from the user profile, supplemented with context attributes, such as time of access and user’s current location.. We can work with your University contact to help them determine which attributes and which attribute values are best used as the basis for authorization rules, but you will need to educate your University contact (as well as our team) as to what authorization controls your application supports.
If your application does not support authorization controls, there may be some solutions available however authorization control in the IdP or OPOP An OpenID Provider (OP) is an entity that has implemented the OpenID Connect and OAuth 2.0 protocols, OP’s can sometimes be referred to by the role it plays, such as: a security token service, an identity provider (IDP), or an authorization server. is limited. We also strongly recommend that you submit a Request for Enhancement (RFE) to your engineering team. You may want to include a link to the OWASP Authorization Cheat Sheet . This will be important because a lack of authorization controls is considered a significant security risk7.
Identification
If needed or desired, the IAM Team provides the ability to integrate identity creation directly into your workflow. This involves our systems loading your XHTML 1.0 Transitional HTML template from a publicly-available URLURL A Uniform Resource Locator (URL) is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A typical URL could have the form http://www.example.com/index.html, which indicates a protocol (http), a host name (www.example.com), and a file name (index.html). Also sometimes referred to as a web address. you manage, injecting our content into a div in your template, and serving the synthesized page from our hosts.
Upon completion, users can be redirected to a URL of your choice with relevant information included as a URL parameter: either the UT EID which was created, or the error message if it was not.
Please let us know if this service, known as the UT EID Self-Help Tool Custom UI, would benefit your engagement.
AffiliationAffiliation An affiliation is an attribute which reflects, at a high level, how an individual is related to the university. At any point in time, an individual may have no defined relationship, one defined relationship, or many defined relationships with the university. For example, and individual may be a current student, a future faculty member, a former employee, or all three. Management
An affiliation is an attribute which reflects, at a high level, how an individual is related to the University. At any point in time, an individual may have no defined relationship, one defined relationship, or many defined relationships with the University. For example, and individual may be a current student, a future faculty member, a former employee, or all three.
In rare (but not unheard of) circumstances, you may be called upon to manage affiliations on behalf of your University customer. In that case, you’ll want to review our Vendors and Affiliations page for more information and background.
Advice for Vendors
Comply With Standards
We put a lot of effort into being standards-compliant. Hopefully, your application does, as well.
In particular, our authentication services use the Security Assertion Markup Language (SAML) v2.0 standard which became an OASIS Standard in March 2005 and OpenID Connect 1.0 whose standard was published in February 2014.
Don’t Assume Immutability
The University has no truly immutable identifiers. Students, faculty, and staff are allowed to change their email address at will. The UT EID is significantly more stable than the email address, but there are still scenarios where the EID will need to change. In some circumstances, administrative errors will result in an individual having two (or more) EID records assigned to them in which case the records will be merged with one UT EID “surviving” and the other UT EID being deactivated.
Don’t Make Unsolicited Offers
The IAM Team does not accept unsolicited offers for any product or service. For more information, please contact the University’s Purchasing Office .
Meet Requirements
- In accordance with Texas Government Code § 2054.0593 cloud computing services must comply with Texas Risk and Authorization Management Program (TX-RAMP) requirements. External vendors are strongly encouraged to become TX-RAMP certified.
- Vendors are subject to UT-IRUSP Standard 22: Vendor and Third-Party Controls and Compliance .
- Student data is subject to the Family Educational Rights and Privacy Act of 1974 (FERPAFERPA The Family Educational Rights and Privacy Act of 1974 (FERPA) is a federal law which pertains to the release of and access to educational records.).
- Health data is subject to The Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- Research data may be subject to The International Traffic in Arms Regulations (ITAR).
Reference Our Documentation
We have a lot of documentation available to assist you with a mutually-beneficial engagement with your customer and with our team.
In particular, like any (quasi-)governmental institution a lot of terminology and acronyms get thrown around. Bookmark this page, our Concepts page, and/or our Terminology page if you need a reference.
Work with your University Contacts
While the IAM Team assists with the technical implementation of IAM at the University, in most cases the IAM Team is not your customer. The IAM Team’s perspective is that of centralized IT support for the entire University, which does not include expertise in the business rules or processes surrounding the need you are trying to meet as a vendor.
Be sure to involve your University customer early and often in your discussions with the IAM Team as they will bear the ultimate responsibility for any necessarily maintenance and upkeep.
Footnotes
- https://reports.utexas.edu/ ↩︎
- https://hr.utexas.edu/current/trends-staff-data ↩︎
- Eve, Martin Paul. “We Are Terrible at Online Identity Management (Or: Using Emails as an Identifier Was a Bad Move).” Martin Paul Eve, 26 July 2023, eve.gd/2023/07/26/we-are-terrible-at-online-identity-management-or-using-emails-as-an-identifier-was-a-bad-move/. Accessed 9 Oct. 2024. ↩︎
- NetworkRADIUS. “Email Addresses Are Primary User Identifiers?” NetworkRADIUS, 21 July 2023, www.networkradius.com/articles/2023/07/21/email-addresses.html. Accessed 9 Oct. 2024. ↩︎
- Tietz-Sokolsaya, Nicole. “Email Addresses Are Not Primary User Identities | Nicole@Web.” Technically a Blog, 29 May 2023, ntietz.com/blog/email-address-not-identifier/. Accessed 9 Oct. 2024. ↩︎
- Wu, Albert. “Why Is Email Address Not an Appropriate User Identifier?” InCommon Federation Library, InCommon, 9 Feb. 2021, spaces.at.internet2.edu/display/federation/why-is-email-not-an-appropriate-user-identifier. Accessed 9 Oct. 2024. ↩︎
- Per the OWASP Authorization Cheat Sheet, “Flaws related to authorization logic are a notable concern for web apps. Broken Access Control was ranked as the most concerning web security vulnerability in OWASP’s 2021 Top 10 and asserted to have a “High” likelihood of exploit by MITRE’s CWE program. Furthermore, according to Veracode’s State of Software Vol. 10, Access Control was among the more common of OWASP’s Top 10 risks to be involved in exploits and security incidents despite being among the least prevalent of those examined.” ↩︎
