UT Shibboleth to Enterprise Authentication Transition Plan
The Identity and Access Management (IAM) team has been working to consolidate current authentication services into one service called Enterprise Authentication, which uses the Shibboleth Identity Provider software to provide a cloud resilient, stable, single sign-on solution based on standard industry protocols. The transition of UTLogin customers to Enterprise Authentication was completed by November 2020, and UTLogin was retired on December 14, 2020.
The second transition phase will now focus on the transition of UT Shibboleth customers to Enterprise Authentication with a new project called Consolidate to Enterprise Authentication. The intent is to retire UT Shibboleth by August 2021.
Transition Scope and Schedule
The primary objective of this transition effort is to transition all applications/systems integrated with UT Shibboleth to Enterprise Authentication with minimal impact to users and customers.
There are two ways in which customers may integrate their SAML Service Providers (SPs) with the UT Shibboleth SAML Identity Provider (IdP): through a direct integration or through a SAML Federation (e.g. InCommon).
- Direct integration customers: These customers are expected to follow the established transition process defined during the UTLogin transitions, making these transitions straight forward and quick.
- SAML Federation customers: A SAML Federation acts as a trusted intermediary. For example, by participating in the UT System Federation, UT Austin allows members of the UT System Federation to integrate with UT Austin systems with minimal effort. They are pre-authorized by virtue of their membership in the federation. UT Austin is currently a member of three (3) federations: InCommon, UT System, and LEARN (Lonestar Education and Research Network).
- The UT System and LEARN federations allow for a staged transition. The team expects these transitions to proceed like the transitions of direct integration customers.
- The InCommon Federation does not support a staged approach. Therefore, the transition will require a coordinated cut-over on a pre-determined date, tentatively scheduled for late May 2021. The team will work with each customer to prepare as much as possible before the cut-over date.
The transition schedule has been structured to account for varying customer schedules and includes the following:
- 97 non-federation integrations, which will be transitioned in five (5) transition groups. Each transition group lasts 35 business days, except for the first group which is longer to account for holiday breaks.
- 117 federation integrations, which will leverage the transition group dates where possible. As a result, this group is structured differently and runs concurrently with the other transition groups.
- Customers will be grouped by college, department, and/or school, as scheduling allows.
- The UT Shibboleth transition will last nine (9) months (October 2020 – July 2021).
Customer Transition Support
The project team will provide resources to support each step of a customer's transition. Customers will be asked to commit resources and availability during their transition window. The following tools will be developed to support customer transitions:
- Action Plans – The project team will develop action plan templates that identify the tasks, resources, and timelines needed to transition a customer's integration(s) from UT Shibboleth to Enterprise Authentication. The team will work with each customer to a customize their action plan as needed.
- Customer Support documentation – The project team will create, publish, and update customer support documentation within ServiceNow (e.g., system requirements, metadata requirements, testing checklists, FAQs).
- Escalation Process – Each action plan will include checkpoints, which the project team will use to monitor a customer’s progress. The team will send reminder communications as each checkpoint/deadline approaches. If a customer fails to meet a checkpoint, the Enterprise Authentication Transition Manager will activate the escalation process:
- 1st Escalation – Notify the customer and their IT Manager and ask customer to complete tasks immediately. The project team will work with the customer to adjust the timelines within the customer action plan but will keep the original completion date.
- 2nd Escalation – If checkpoint tasks are not completed within 1 week after the 1st escalation - notify customer, IT Manager, department Tech Dean or director, ITS Campus Solutions Director, and ISO. The project team will also work with the customer and their IT manager to adjust the timeline of the customer action plan.
- 3rd Escalation – If checkpoint tasks are not completed within 1 week after the 2nd escalation - Notify customer, IT Manager, department Tech Dean or director, ITS Campus Solutions Director, ISO, and Assistant Vice President for ITS. The project team will schedule a meeting with the customer to create an updated customer action plan that must be reviewed and approved by above listed leadership.
- If no progress has been made within two weeks after the 3rd escalation, UT Shibboleth access will be blocked for the customer’s applications and systems.
- Exception Process – If a customer wants to change their assigned transition group or window, they can submit an exception request using the existing ISO Exception Process. ISO and the project team will evaluate the exception request. Customers can only be granted one exception during the project. Any additional exception requests will require review and approval by the ITS Campus Solutions Director, ISO, and the Assistant Vice President for ITS.
If you are a UT Shibboleth customer and have questions about your consolidation to Enterprise Authentication, please e-mail us at firstname.lastname@example.org. This will create a ticket in ServiceNow so we can track and respond to your inquiry.