Solution summary

The University of Texas at Austin (UT Austin) joined the CSP as part of an identity and governance administration (IGA) modernization effort. For UT Austin, participation in the CSP was a goal in itself. A UT Austin IAM team member discovered the program while implementing a new Shibboleth service and re-architecture for UT’s single sign-on. It wasn’t, however, until several years later that the team lobbied for the budget and approval to join the CSP.

While UT Austin joined the CSP as part of an IGA modernization effort, the two weren’t intrinsically linked. Initially, UT Austin intended for the IGA modernization project and the CSP to be parallel paths. 

The information supplied by the CSP would feed the modernization effort. Since completion of the IGA modernization wasn’t realistic for the year-long CSP timeframe, the CSP was used as another resource for training, exploration, peer networking, and more.

Trusted Access Platform features supported

Grouper, midPoint, and Shibboleth

The project

By joining the CSP community, UT Austin was able to focus on IGA modernization, consolidate IAM solutions to reduce technical debt, improve IAM processes, and provide additional value to campus.

Big Picture Goals: UT Austin had some big picture goals when joining the CSP. Namely, the IAM team wanted collaborative help and training for IGA modernization. In addition, the team recognized the importance of community and its ability to provide best practices for authentication services. 

UT Austin chose the InCommon Trusted Access Platform because of the easy and modern container configuration/deployment. The InCommon platform also allowed for open-source and community-driven solutions to shared problems.

Detailed Goals: UT Austin’s goals fell into three categories: Community, training, and IGA modernization. Gathering experience and knowledge for modernization were key motivators for UT’s CSP participation and community involvement. IGA modernization was the main task. Community and training fed the modernization. Community questions around the adoption of the TAP versions of midPoint and Grouper, for example, were high priorities for UT’s IGA modernization and areas of collaboration and training. More specific goals included the following:

• UT Austin hoped to use the CSP to engage more closely with peer institutions on shared IAM challenges​.
• The team wanted to develop experience and knowledge around InCommon’s Trusted Access Platform components​.
• UT hoped to begin the adoption of TAP versions of midPoint and Grouper as part of its IGA modernization Program​.
• The team wanted to find peers with similar challenges and plans​, while learning from past experiences and implementing solutions according to best practices​.
• Leveraging CSP resources as the institution completed the first phase of IGA modernization​ was another goal.
• By continuing to align with best practices from the CSP community, UT Austin could push the modernization of alternate data stream offerings at UT.
• The creation of a roadmap for continued improvements to a Shibboleth-based authentication service (Enterprise Authentication)​ was a top priority.
• Coordinating with other CSP peers on how to implement TAP Shibboleth in a managed Kubernetes environment​ was also key during the CSP.

The problem

UT Austin needed to address complicated legacy services and technical debt, along with a 15-year-old custom Java application named TIM (uTexas Identity Manager). In addition, SailPoint IdentityIQ was over-configured and lost executive/campus support. Turnover and loss of institutional knowledge was also a concern.

The solution

The vision for the IGA modernization would include Grouper and midPoint as trusted access platforms, cloud-only implementation (AWS), and Kubernetes (EKS) for container orchestration. The build would remain as “cloud native” as possible.

Broken down, these solutions to UT Austin’s IAM problems were focused and clear:

• The team hoped to replace TIM with midPoint, which will handle identity management functions.
• Replacing SailPoint IdentityIQ with Grouper meant group management functions would be managed.
• By refactoring TIM as microservices, the mainframe and other legacy communications would be streamlined.

The result

UT Austin implemented Grouper and midPoint and neared production at the end of CSP. The IAM team also created a test environment as the institution moved towards live production. In addition, members of the UT IAM team are now frequent contributors at community events like  Internet2’s Technology Exchange and Community Exchange.

IGA modernization wasn’t the only goal for UT Austin. In addition, UT joined the CSP with the intention of introducing IAM team members to the IAM higher education community. The UT IAM team saw collaboration as critical to its success in the future. The following list shows the outcomes for this CSP goal.

• Clemson University is now a powerful ally to UT’s IAM team. The two teams collaborate and support each other regularly.
• The University of Michigan is now a trusted resource for work with Shibboleth. The teams talk frequently and have networked at different events.
• Illinois State University is working on projects similar to those under way at UT Austin. The two institutions have bounced many ideas off each other.
• Having the ability to reach out to one or more higher education institutions when an IAM problem presents is something UT Austin attributes to CSP participation.

Lessons Learned

1. Encourage IAM team members to interact with the CSP community.Exposure, through the CSP, to various experts in the community was a valuable byproduct of the program for UT Austin, according to UT Austin IAM team members.
2. Use the CSP training credits provided. UT Austin didn’t use the full amount of credits and regrets the loss of potential training. 
3. Don’t underestimate the complexity of TAP tools. MidPoint connectors, in particular, are very complex.
4. Documentation and training only get you so far. Take advantage of the CSP community. Their past experiences and knowledge is very helpful.
5. The CSP is a starting point; implementation takes time.

About The University of Texas at Austin

The University of Texas was founded in 1883 and includes 22 colleges, programs, and schools. UT has more than 50,000 students, 3,800 faculty members, and 25,000 staff.

UT Austin IAM Overview:

• The institution had 51.7 million authentications in 2021, protecting 250 UT Austin services. 
• UT Austin manages 10.1 million UT EIDs currently.
• In 2020, UT Austin had 4.35 billion enterprise directory (TED) searches.
• UT Austin accounted for 1.94 million authentications monthly for 2020.
• More than 320,000 UT EID password changes were recorded in 2021, and 107,000 UT EIDs are protected by multi-factor authentication. 
• The university oversees 602,000 businesses, 976,000 other identities, 7.1 million guests, 84,000 members, and 2.45 million affiliates.

UT Austin CSP Project Team

Grady Bailey, Authentication and Directory Services (ADS) team lead, senior software engineer
Marta Lang, IAM team, senior ITmanager, IAM team lead
Aaron Reiser, IAM team, senior business analyst
Cody Antunez, Andrew Coyle, and Richard Dayries, ADS team, engineers
Stacey Myers, IGA Modernization Program, technical architect
Alex Knox, IGA Modernization Program, implementation engineer
Elizabeth McGuinness, IGA team, project manager and team lead
Audrey Barnes, Emily Blanchette, and Tori Brown, IGA team, engineers

—Back to Collaboration Success Program Alumni Case Studies