UTLogin provides centralized authentication (single sign-on) services for more than 250 campus systems through a combination of Web Policy Agents (WPAs) installed on on-campus servers as well as SAML federation with off-campus systems. UTLogin processes more than 55 million authentication requests annually.
A marked increase in UTLogin service interruptions and system instability began in the summer of 2016. Although mitigations and fixes have been implemented to address each issue, new issues with different causes continue to appear. The Identity and Access Management (IAM) team believes the overall root cause of the ongoing instability is a combination of three major factors:
- Maintenance complexity and support issues related to customizations and non-standard configuration of the base OpenAM vendor product implemented within UTLogin
- Aging UTLogin system components that are at or near end of life
- An increase in the number and complexity of the sites being protected by UTLogin
The IAM team will focus on simplifying and standardizing the UTLogin environment. UTLogin system components will be upgraded to current and well-supported versions. During this upgrade, customizations and non-standard configurations of OpenAM will be removed. Specifically, native capabilities will be used for whitelist filtering and brute force attack defenses. UTLogin’s current dependency on TED will also be removed. Reliance on external dependencies like DNS and load balancing services will be reduced to the bare minimum. The authentication policy model will be simplified while preserving the ability for CSUs to maintain their own policies, if possible.