Identity Concepts

When considering the development or acquisition of a new software product, it’s important to understand some core identity management concepts to help ensure that the selected product will integrate well with the university identity environment.

Basic Terminology

Identifiers

  • UIN - Unique numerical identifier for all university affiliations. Format: XXX00XXXX
  • NetID – The official username. Format: 2-20 characters, alphanumeric as well as hyphen (-), and period (.)
  • eduPersonPrincipalName (ePPN) – Part of the eduPerson schema. Format: <NetID>@tamu.edu

Technologies

  • Security Assertion Markup Language (SAML) v2.0 – An XML-based open standard for exchanging authentication and authorization information between identity providers and service providers.

Components

  • Identity Provider (IdP) – A part that offers user authentication as a service. In this context, the Identity Security team will provide the IdP for you to integrate with.
  • Service Provider (SP) – The server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP.

Other Terms

  • Attribute – Anything that the Identity Provider (IdP) knows about the end user that may be helpful to the Service Provider (SP).
  • Metadata – In this context, a document which describes various technical aspects of an Identity Provider (IdP) or Service Provider (SP). Essentially, instructions which tell the IdP and the SP how to communicate with each other.

Identity Management Concepts

Authentication vs. Authorization

  • Authentication – Authentication determines whether the user is who they claim to be.
  • Authorization – Authorization determines whether an authenticated user is allowed to access a specific resource or take a specific action.

Accounts, Identifiers, and Identities

  • Account – An account is the representation of a user within a particular system.
  • Identifier – An identifier is how a user is labeled. In a system that uses NetID single sign-on, the user account will usually be accessed using the NetID as an identifier.
  • Identity – An identity is the collection of accounts and identifiers associated with a particular person (or sometimes a non-person entity). An identity can be associated with multiple accounts and identifiers. For example, you may have multiple email accounts but all of those accounts belong to one identity (you).

Provisioning and De-provisioning

The process of how user accounts are created when they are needed and how they are deleted, archived, or made inactive when no longer needed.

Identity Life Cycle

Like the real-world entities they represent, identities have a life cycle. Their connection to the University will change over time and the accounts and authorizations they have will also change accordingly. The identity itself does not go away.

Systems must take into account the current status of a user in their authorization schemes and change account authorizations when that status changes. For example, if a student or employee leaves the university, the wireless network will note the change in affiliation and remove authorization for wireless access.