Authorization Services
The NetID platform provides several paths to enable authorization for a service or application.
Pathways
In the process of development or acquisition of a new application, consider who your user population is. Some applications may need all students to be able to log in; others may need to restrict acccess to only faculty or staff in a particular department.
Bilateral Supported Pattern
For bilateral federation with NetID, we support integration with Texas A&M's Microsoft Entra ID tenant. Many enterprise services already do this (for example, Google Workspace, Canvas, and LinkedIn Learning).
Entra provides both RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control) models that you can take advantage of. In general, the use case for each is as follows:
- OIDC integrations use predefined roles with RBAC.
- SAML integrations use user attributes to control acccess with ABAC.
Multilateral Supported Pattern
For multilateral federation with multiple universities or agency partners, Identity Security has partnered with Cirrus Identity to offer their "Proxy" service to campus.
This service allows applications and services to integrate with a single identity provider (the "proxy") via the SAML protocol. We have integrated many of the Texas A&M System members with this proxy to offer a standardized set of attributes that can be passed to an application or service to make it easy to identify which users are coming from a particular member.
Cirrus only provides authentication. Authorization will need to be implemented within your connected service using an internal RBAC/ABAC model. Please reach out to identity@tamu.edu to request an integration with the Cirrus Identity platform.