UT Shield

Vendor Guide to IAM at UT

Overview of UT Austin

The University of Texas at Austin (UT Austin) is a large, complex institution with approximately 53k students, 4k faculty, and 15k staff12. CSUs are largely decentralized and independent. Centralized IT services are available through Enterprise Technology, but many CSUs have their own budgets and will make their own spending decisions.

As an external vendor, this means that you may interact with many different specialized teams at the University. Among those is the University’s IAM Team, sometimes anachronistically referred to as the “EID Team.” The IAM Team is part of Enterprise Technology, the central IT organization.

Think of the IAM Team as an implementation partner.

On Nomenclature

Since we’re the experts on identity here, it falls upon us to advise you to take care to refer to our University as “The University of Texas at Austin,” “UT Austin,” or “UT.”

It is considered a faux pas to refer to us as any of the following: “The University of Texas,” “UTA,”, “U of T,” or “TU.” You may not get called out for using these terms but you will demonstrating a lack of knowledge, understanding, or caring about your customer. “UTA,” in particular, refers to The University of Texas at Arlington.

Identity at The University

The IAM Team is responsible for several technical areas including identity management, authentication, and directory services. If you are not familiar with IAM concepts, please review our Concepts page.

The primary public records identifier at the University is the UT EID. The UT EID is used across campus to link administrative records to individuals, as well as for web-based SSO.

Identity Management

The IAM Team manages identities using a combination of custom, purpose-built systems and third party vendor software. The identity management layer of services receives data from various authoritative Systems of Record (SORs) and coalesce the data into coherent identity records.

For example, a student employee will have very different sets of data between the student registrar and human resources, but the IAM Team compiles it all into into a single record for a single individual.

Directory Services

The University has several centralized directory services including Austin Active Directory (Austin AD) and the uTexas Enterprise Directory (TED), an LDAPv3-based directory service. The IAM Team is responsible for maintaining the identity data in these directory services, ensuring that it is up-to-date and accurate. The IAM Team also administers TED (but not Austin AD).

Authentication Services

The IAM Team also manages the IdP for authentication services using Enterprise Authentication, an implementation of the Shibboleth IdP which supports SAML and OIDC. In this way, the IAM Team handles the complexities of authentication and identity data and your system never needs to handle a password, greatly reducing everyone’s risk.

Technical Information

Authentication

If your application or service will make use of Single Sign-On (SSO) with UT Austin’s primary identifier, the UT EID, it will need to meet our Vendor Requirements.

Additionally, the metadata for your SAML Service Provider (SP) will need to meet the Metadata Requirements.

Finally, the configuration information you’ll need can be found on our Authentication Integration Technical Details page.

In review:

Identifiers

UT EIDs are between 2 and 8 characters and may contain letters, numbers, and the following special characters: underscore (_), period (.), and hyphen (-). They can be represented by the PCRE regular expression /[\w.-]{2,8}/ and are case-insensitive.

Person EIDs (that is, UT EIDs which represent a person) will always begin with an alphabet character. They can be represented by the PCRE regular expression /[A-Za-z][\w.-]{1,7}.

The UT EID can be presented in several different formats:

NameFormat
UT EID<eid>
eduPersonPrincipalName (ePPN)<eid>@utexas.edu
Institutional Identifier (IID)<eid>@eid.utexas.edu
sAMAccountName<eid>

The Institutional Identifier (IID) is designed for use with cloud-based services whose usernames are email addresses. When used as an email address, the IID will forward to the user’s email address on record. Of note, we align with the segment of the industry which maintains that the email address is not an appropriate user identifier3456.

Authorization

Importantly, while we provide many services, it is the role of the SP or RP (i.e., you, the vendor) to configure authorization rules for your application.

The most-common authorization implementation at the University is ABAC. We can work with your University contact to help them determine which attributes and which attribute values are best used as the basis for authorization rules, but you will need to educate your University contact (as well as our team) as to what authorization controls your application supports.

If your application does not support authorization controls, there may be some solutions available however authorization control in the IdP or OP is limited. We also strongly recommend that you submit a Request for Enhancement (RFE) to your engineering team. You may want to include a link to the OWASP Authorization Cheat Sheet . This will be important because a lack of authorization controls is considered a significant security risk7.

Identification

If needed or desired, the IAM Team provides the ability to integrate identity creation directly into your workflow. This involves our systems loading your XHTML 1.0 Transitional HTML template from a publicly-available URL you manage, injecting our content into a div in your template, and serving the synthesized page from our hosts.

Upon completion, users can be redirected to a URL of your choice with relevant information included as a URL parameter: either the UT EID which was created, or the error message if it was not.

Please let us know if this service, known as the UT EID Self-Help Tool Custom UI, would benefit your engagement.

Affiliation Management

An affiliation is an attribute which reflects, at a high level, how an individual is related to the University. At any point in time, an individual may have no defined relationship, one defined relationship, or many defined relationships with the University. For example, and individual may be a current student, a future faculty member, a former employee, or all three.

In rare (but not unheard of) circumstances, you may be called upon to manage affiliations on behalf of your University customer. In that case, you’ll want to review our Vendors and Affiliations page for more information and background.

Advice for Vendors

Comply With Standards

We put a lot of effort into being standards-compliant. Hopefully, your application does, as well.

In particular, our authentication services use the Security Assertion Markup Language (SAML) v2.0 standard which became an OASIS Standard in March 2005 and OpenID Connect 1.0 whose standard was published in February 2014.

Don’t Assume Immutability

The University has no truly immutable identifiers. Students, faculty, and staff are allowed to change their email address at will. The UT EID is significantly more stable than the email address, but there are still scenarios where the EID will need to change. In some circumstances, administrative errors will result in an individual having two (or more) EID records assigned to them in which case the records will be merged with one UT EID “surviving” and the other UT EID being deactivated.

Don’t Make Unsolicited Offers

The IAM Team does not accept unsolicited offers for any product or service. For more information, please contact the University’s Purchasing Office .

Meet Requirements

Reference Our Documentation

We have a lot of documentation available to assist you with a mutually-beneficial engagement with your customer and with our team.

In particular, like any (quasi-)governmental institution a lot of terminology and acronyms get thrown around. Bookmark this page, our Concepts page, and/or our Terminology page if you need a reference.

Work with your University Contacts

While the IAM Team assists with the technical implementation of IAM at the University, in most cases the IAM Team is not your customer. The IAM Team’s perspective is that of centralized IT support for the entire University, which does not include expertise in the business rules or processes surrounding the need you are trying to meet as a vendor.

Be sure to involve your University customer early and often in your discussions with the IAM Team as they will bear the ultimate responsibility for any necessarily maintenance and upkeep.

Footnotes

  1. https://reports.utexas.edu/ ↩︎
  2. https://hr.utexas.edu/current/trends-staff-data ↩︎
  3. Eve, Martin Paul. “We Are Terrible at Online Identity Management (Or: Using Emails as an Identifier Was a Bad Move).” Martin Paul Eve, 26 July 2023, eve.gd/2023/07/26/we-are-terrible-at-online-identity-management-or-using-emails-as-an-identifier-was-a-bad-move/. Accessed 9 Oct. 2024. ↩︎
  4. NetworkRADIUS. “Email Addresses Are Primary User Identifiers?” NetworkRADIUS, 21 July 2023, www.networkradius.com/articles/2023/07/21/email-addresses.html. Accessed 9 Oct. 2024. ↩︎
  5. Tietz-Sokolsaya, Nicole. “Email Addresses Are Not Primary User Identities | Nicole@Web.” Technically a Blog, 29 May 2023, ntietz.com/blog/email-address-not-identifier/. Accessed 9 Oct. 2024. ↩︎
  6. Wu, Albert. “Why Is Email Address Not an Appropriate User Identifier?” InCommon Federation Library, InCommon, 9 Feb. 2021, spaces.at.internet2.edu/display/federation/why-is-email-not-an-appropriate-user-identifier. Accessed 9 Oct. 2024. ↩︎
  7. Per the OWASP Authorization Cheat Sheet, “Flaws related to authorization logic are a notable concern for web apps. Broken Access Control was ranked as the most concerning web security vulnerability in OWASP’s 2021 Top 10 and asserted to have a “High” likelihood of exploit by MITRE’s CWE program. Furthermore, according to Veracode’s State of Software Vol. 10, Access Control was among the more common of OWASP’s Top 10 risks to be involved in exploits and security incidents despite being among the least prevalent of those examined.” ↩︎