UTLogin Best Practices
Criteria for UTLogin Access
For a system or application to be eligible for UTLogin access, the following criteria must be met:
- The system or application must be associated with an official University of Texas at Austin department.
- Technical contacts for the system or application must be UT Austin employees in non-student positions.
- The servers on which the system or application is hosted must be managed by UT Austin employees in non-student positions.
- The UTLogin Acceptable Use Policy must have been signed for the system or application within the last 12 months.
Web Policy Agent
For a system or application to be eligible for UTLogin Web Policy Agent protection, it must be hosted on one of the platforms supported by OpenAM. For a complete list, please see the Web Policy Agents listed on OpenAM’s nightly build page.
- UTLogin must be used in accordance with the UTLogin Acceptable Use Policy.
- UTLogin is the preferred authentication mechanism at the University of Texas at Austin. Other options include Austin Active Directory (AAD), Shibboleth, and the uTexas Enterprise Directory (TED).
- When using UTLogin, the Web Policy Agent (WPA) is the preferred authentication mechanism.
- All UTLogin-protected Web pages should include a logout link that points to - https://login.utexas.edu/login/UI/Logout.
- All UTLogin-protected non-Web applications should include a logout option.
- Applications should be architected to efficiently use UTLogin resources.
- Allow UTLogin to manage authentication session caching.
- Load balanced systems should maintain session affinity.
- Departments should inform the UTLogin team at firstname.lastname@example.org when application contacts change.
- If systems store information derived from attributes returned by UTLogin, the preferred identifier for storage on departmental databases is the UIN, as long as the system meets university guidelines for storing Confidential data. Systems that cannot store Confidential data should store the EID instead.
- If attributes returned by UTLogin other than UIN or EID is stored in department databases, a mechanism to keep those data synchronized with the uTexas Identity Manager (TIM) should be implemented.
Web Policy Agent
- Since UTLogin headers contain Confidential data, these data must be handled in accordance with the university’s Information Resources Use and Security Policy.
- When possible, Web resources that do not require EID authentication, such as image files, should be stored within a single directory on a server, or within children of a single directory.
- GETs and POSTs should be set to "allow" for all authorization policies. For most purposes, all other actions can be disabled.
- Authentication credentials and information identifying the user must be communicated using SSL or equivalent encryption technology.
- EID passwords must never be stored by UTLogin-protected systems, even in system logs.
- When retrieving user attributes, systems should set refresh = true to set the idle time to 0.
- Systems should validate the authentication token when it is necessary to verify the user’s identity to protect secure resources.
- Systems must validate the authentication token at least every 60 minutes.
Conditions for UTLogin Access Suspension
UTLogin access can be suspended for a client system or application under certain conditions.
- UTLogin access can be suspended if use of UTLogin access is for a purpose other than that indicated in the access request.
- UTLogin access can be suspended if usage of UTLogin resources jeopardizes the service as a whole.
- UTLogin access can be suspended if the UTLogin Acceptable Use Policy has expired.
- UTLogin API access can be suspended if UTLogin sessions are cached for longer than 60 minutes.
- UTLogin API access can be suspended if EID passwords are stored.
Last updated December 10, 2015 @ 3:46 pm