UT Shibboleth: Acceptable Use Policy
The UT Shibboleth Acceptable Use Policy (AUP), retained below for posterity, has been superseded by the Authentication Acceptable Use Policy.
Shibboleth is an open source access management system that allows for information about identities to be provided from one organization to another without both having to manage identities. One organization acts as the identity provider, the other as the service provider. Information Technology Services (ITS) provides services that support the identity provider role.
Shibboleth relies on UT Austin’s Enterprise Directory (TED) for accessing information about identities. TED contains confidential information and is not equivalent to the public "white pages" directory (located at https://directory.utexas.edu/).
System Use & Responsibilities
Shibboleth is a middleware system that allows for attributes about identities to be pushed to trusted service providers in order to federate access management. It is not the system that maintains identities nor is it a system that provides any particular service to customers beyond access management. It relies on TED, which in itself is not the system of record for any student or employee information and from time to time may not reflect the most current, official status of a student or employee.
You agree that non-public information (i.e., information not available through public sources such as the white pages directory) that your service accesses through Shibboleth will be used only to control access to your application and/or for the specific purposes described in your request for Shibboleth access. You also agree that restricted data obtained using your service account will not be presented to users by your application, nor will you divulge it to others, unless specified in your request for Shibboleth access. If your system displays data to users that has been restricted from release by the subject of the data, the system must indicate to the user that the data is release-restricted.
You agree to use this service in a manner consistent with this policy and with other university rules governing acceptable use of information technology, including confidential data. You also agree to comply with all applicable state and federal laws. The Family Educational Rights and Privacy Act of 1974 (FERPA) restricts access to student records. These legal restrictions apply to all users of Shibboleth. All account holders are responsible for maintaining the confidentiality of records made available through Shibboleth.
Failure to comply with this policy may result in a discontinuation of service or disciplinary actions. Failure to comply with applicable law could result in civil actions or criminal charges.
Accounts for access to Shibboleth are created on a case-by-case basis and tailored specifically to the informational needs of the Service Provider. All accounts require a sponsoring department that is directly affiliated with the University of Texas at Austin. Information concerning the official sponsors is provided with the request to access Shibboleth services.
An account must be used solely by the Service Provider to whom it was assigned. Each account sponsor is responsible for all actions accomplished with that account.
All Shibboleth account activity is subject to logging and security monitoring.
Servers, applications and other resources with access to Shibboleth must be protected from unauthorized physical and electronic access.
Use of Shibboleth must be responsible, efficient and non-disruptive. Excessive consumption of Shibboleth resources may result in suspension of access privileges. Any attempt to circumvent Shibboleth authentication and authorization mechanisms is strictly prohibited.
Account sponsors agree that they will only use their access to Shibboleth for the purposes stated in the request for access; that they will maintain the security of shared secrets and other account credentials; and that they will immediately report any breach of security to the Information Security Office (firstname.lastname@example.org) and the Shibboleth administrators (email@example.com).
Policy Acknowledgement Renewal
Acknowledgement of this policy must be renewed on an annual basis. Account sponsors must renew their agreement with this policy to maintain access to Shibboleth.
For more information about Shibboleth, visit the Shibboleth service page.
For more information about UT Austin's information technology policies, consult the Policies section of the Web site for the Chief Information Officer.