The University of Texas at Austin

UTLogin

Steps for Transition to UTLogin

UTLogin is a new centralized authentication service which supports web-based and stand-alone applications through standard authentication protocols. It is replacing the Central Web Authentication and Fat Cookie (CWA/FC) System currently in use by many university web applications. The CWA/FC System, including mod_auth_eid and php_decode, will be retired in the summer of 2014. Affected customers have been informed of their assigned groups in the Transition Schedule. These customers must take the following steps:

  1. Determine which of their servers and applications need to transition. A diagram is available at the bottom of this page.

    The following type of application does need to be modified to transition to UTLogin:

    • Applications using the Fat Cookie, including mod_auth_eid or php_decode. Applications hosted on Web Central will be scheduled to transition to UTLogin as part of the Web Infrastructure Refresh project.

    The following types of applications do not need to be modified to transition to UTLogin:

    • UT Direct applications do not need to be modified to use UTLogin. Instead, the UT Direct environment infrastructure will be transitioned from CWA to UTLogin by ITS in Transition Group 4. *USER-NAME will continue to be populated, and the transition is expected to be seamless for UT Direct developers and users.
    • Applications using the uTexas Enterprise Directory (TED) for authentication do not need to be modified to use UTLogin. However, if they are hosted on a UTLogin-protected server, the server administrator will need to configure the application URLs to be exempt from UTLogin protection.
    • Applications using the Austin Active Directory (AAD) for authentication do not need to be modified to use UTLogin. However, if they are hosted on a UTLogin-protected server, the server administrator will need to configure the application URLs to be exempt from UTLogin protection.
    • Applications using Shibboleth for authentication do not need to be modified to use UTLogin. UT EID authentication for Shibboleth will remain basically unchanged.
    • Mainframe applications accessed through a 3270 terminal. UT EID authentication to 3270 will remain unchanged.
  2. Identify applications on transitioning servers that do not need to and will not be transitioning to UTLogin.

    • Applications using TED or AAD for authentication do not need to be modified to use UTLogin. However, if they are hosted on a UTLogin-protected server, the server administrator will need to configure the application URLs to be exempt from UTLogin protection. Otherwise, users may be required to log in twice, once by UTLogin and once by the application. Alternately, TED- or AAD-authenticated applications can be modified to use attributes from the UTLogin headers.
  3. Although registering the site in the Application Registry is not required for UTLogin access at this time, customers are encouraged to comply with the ISO’s requirements.

  4. Perform credentialed network vulnerability scans of servers to be UTLogin protected. To request a credentialed network vulnerability scan, please contact the Information Security Office (ISO).

  5. Request Web Policy Agents.

    • System administrators will need to submit Web Policy Agent request forms to the Identity and Access Management (IAM) Team. The IAM team will issue Web Policy Agents for university servers and provide installation instructions.
  6. Download the Web Policy Agents. System administrators will need to install Web Policy Agents on their servers. The IAM team will furnish them with a detailed Web Policy Agency installation guide and implementation-specific attributes.

  7. Modify existing applications and configure Web Policy Agents for continuity in their users’ experience.

    • Remove existing authentication infrastructure, such as .
    • Remediate usage of Fat Cookie attributes, such as roles and assurance levels, to use UTLogin header attributes, such as affiliations and entitlements.
    • Substitute .htaccess files functionality related to mod_auth_eid directives, currently used to limit resource access authorizations, with UTLogin authorization policies. Authorization policies can be configured in the UTLogin Realm Policy Manager.
    • Configure public URLs to be exempt from UTLogin protection or protected URLs to require UTLogin protection.
    • For applications that to do their own authentication, configure their URLs to be exempt from UTLogin protection.
    • Change logout links to point to https://login.utexas.edu/login/UI/Logout. Optionally, a post-logout URL can be specified using the goto parameter. For example a logout link of https://login.utexas.edu/login/UI/Logout?goto=http://www.utexas.edu/eid would log the user out of both UTLogin and Central Web Authentication sessions and redirect them to the UT EID Self-Service Tools.

Diagram to Determine Whether an Application Needs to Transition to UTLogin.

Last updated February 25, 2014 @ 2:14 pm

We Can Help

Get help from an expert:

* ITS Help and Service Desk

* Call us at 512-475-9400

* Submit a help request online

We also have a walk-in service in the first floor lobby of the Flawn Academic Center (FAC). Stop by and let us help you!