Concepts & Definitions
When considering the development or acquisition of a new software product, it’s important to understand some core identity management concepts to help ensure that the selected product will integrate well with the university identity environment.
Concepts
The following are the core concepts most applicable to anyone looking to integrate with the NetID platform.
Authentication vs. Authorization
- Authentication – Authentication determines whether the user is who they claim to be.
- Authorization – Authorization determines whether a user is allowed to access a specific resource or take a specific action.
Accounts, Identifiers, and Identities
- Account – An account is the representation of a user within a particular system.
- Identifier – An identifier is how a user is labeled. In a system that uses NetID single sign-on, the user account will usually be accessed using the NetID as an identifier.
- Identity – An identity is the collection of accounts and identifiers associated with a particular person (or sometimes a non-person entity). An identity can be associated with multiple accounts and identifiers. For example, you may have multiple email accounts but all of those accounts belong to one identity (you).
Provisioning & Deprovisioning
- Provisioning - The process of how user accounts are created when they are needed.
- Deprovisioning - How accounts deleted, archived, or made inactive when no longer needed.
Definitions
UIN
- Unique numerical identifier for all university affiliations.NetID
– The official username.eduPersonPrincipalName
(ePPN
) – Part of the eduPerson schema.- Security Assertion Markup Language (SAML) v2.0 – An XML-based open standard for exchanging authentication and authorization information between identity providers and service providers.
- Identity Provider (IdP) – A part that offers user authentication as a service. In this context, the Identity Security team will provide the IdP for you to integrate with.
- Service Provider (SP) – The server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP.
- Attribute – Anything that the Identity Provider (IdP) knows about the end user that may be helpful to the Service Provider (SP).
- Metadata – In this context, a document which describes various technical aspects of an Identity Provider (IdP) or Service Provider (SP). Essentially, instructions which tell the IdP and the SP how to communicate with each other.
Other Considerations
There are other broader considerations that should be discussed prior to integration; having an idea of how to address these ahead of time can often save you from technical debt.
How Will Users Authenticate?
You will need to start by knowing which authentication solutions are supported by your vendor/developer (e.g. SAML, OAuth, OIDC, etc.).
If NetID-based authentication is not possible or not appropriate, you will need to consider how user accounts will be provisioned and managed over time, how they will be associated with the identity responsible for the actions taken with the account, and how authentication to the accounts will be managed.
How Are Accounts Conceptualized In Your Application?
Recall that there is a difference between an account, an identifier, and an identity. In short: User accounts are like keys, and the identity is the key ring which unifies them.
As an example, if you are running a UNIX service you may not be able to use NetID as the username due to namespace collisions. If you have multiple UNIX services, how would you link the accounts belonging to the same person across these different services? How would those user accounts then be linked back to an identity?
While an account is most frequently understood as referencing a person, non-person entities may have need for an account. For example, the NetID system supports service accounts that represent applications. You may need to consider if non-person accounts are appropriate for your application and, if so, how your application will handle these accounts (e.g. who has the right to make a request on behalf of a non-person account?).