UTLogin Acceptable Use Policy
Last Edited: March 30, 2015
See the change log for a list of significant changes made to this document.
UTLogin is the university’s centralized authentication service and is provided by Information Technology Services (ITS) for use by campus departments. It allows them to:
- Participate in single sign-on authentication based on the University of Texas Electronic Identity (UT EID).
- Authenticate UT EID holders when logging into departmental web-based and stand-alone applications.
- Control access to web-based and stand-alone resources.
System Use and Responsibilities
The sponsoring department agrees that information accessed through UTLogin will be used only to authenticate or control access to the applications on the server(s) indicated in the request for UTLogin. The sponsoring department agrees not to log or store UT EID password values and to follow best practices whenever feasible. When applicable, the sponsoring department is responsible for performing web policy agent upgrades to maintain a current and supported version of the agent.
The sponsoring department agrees to use this service in a manner consistent with this policy and with other university rules governing acceptable use of information technology, including Category I data. The sponsoring department also agrees to comply with all applicable state and federal laws. The Family Educational Rights and Privacy Act of 1974 (FERPA) restricts access to student records. These legal restrictions apply to all users of UTLogin.
The sponsoring department agrees to ensure that all Web Policy Agents (WPAs) have been upgraded to the latest supported version within 180 days of announcement of its release by the Identity and Access Management Team. The sponsoring department also agrees to upgrade all WPAs as soon as possible when a security advisory impacting UTLogin is announced, but no later than 60 days after such an announcement. The Information Security Office may determine that certain security vulnerabilities require a shorter upgrade window or quarantine to protect the university's information resources. Sponsoring departments must request a security exception (via the Security Exception Reporting Process) if running an unsupported WPA more than 180 days after a release announcement (or more than 60 days in the event of a security advisory) to avoid an interruption in UTLogin service for their protected services, which would make those services unavailable to customers.
Three interfaces are available for access to UTLogin: web policy agents, the Security Assertion Markup Language (SAML) interface, and the developer Application Programming Interface (API). This policy applies to all three types of interfaces.
A sponsoring department with UTLogin access must not provide that access to other applications or for purposes other than those included in the original request for access. The sponsoring department is responsible for ensuring that UTLogin administrators are informed of changes to system business contacts and technical contacts.
Hosts requiring a UTLogin interface (web policy agent, SAML, or API) must be registered in NetContacts within the Technical Support Contact (TSC) Tools. System servers must undergo an annual credentialed network vulnerability scan by the Information Security Office (ISO). For information on this scan or to request a scan, please email firstname.lastname@example.org. Applications must be registered in the ISO Application Registry.
All UTLogin activity is subject to logging and security monitoring.
Any attempt to circumvent UTLogin authentication and authorization mechanisms is strictly prohibited. Use of UTLogin must be responsible, efficient and non-disruptive. In the case of excessive consumption of UTLogin resources, UTLogin administrators will work with specified contacts to address the cause(s). However, if the cause(s) cannot be resolved, UTLogin administrators reserve the right to suspend access privileges.
Servers, applications and other resources with access to UTLogin must be protected from unauthorized physical and electronic access. The sponsoring department agrees that user passwords, service shared secrets, and other non-public information will be transmitted only via encryption technology. This includes communications between the departmental application and UTLogin servers, and also any communications involved in making use of the data retrieved from UTLogin. Departmental customizations to web policy agents are permitted only to implement changes to authorization policies.
The sponsoring department agrees to immediately report any breach of security to the Information Security Office at email@example.com.
The following persons can sign the AUP as sponsoring department representatives: a Department Head, Department IT Security Custodian, or Department IT Owner Contact.
Acknowledgement of this policy must be renewed on an annual basis. Sponsoring departments must renew their agreement with this policy to maintain access to UTLogin.
For more information about UTLogin, consult the UTLogin web site. For assistance with NetContacts, ISO AppReg, or server security scans please contact the ISO at firstname.lastname@example.org.
For more information about UT Austin's information technology policies, consult the Policies section of the Web site for the Chief Information Officer.