Body
Texas State supports two secure systems for Single Sign-On (SSO): Entra ID (formerly Azure Active Directory) and Shibboleth. Both verify users using their Texas State NetID, password, and Duo multi-factor authentication. While they serve a similar purpose, they differ in how they integrate with vendor systems and which features they support.
Key Differences
| Feature |
Entra ID |
Shibboleth |
| SCIM Provisioning |
✅ Supported if the vendor's system allows it |
❌ Not supported |
| Access Can Be Limited to Specific Groups |
✅ Yes (through Entra security groups) |
❌ Not supported |
| Authentication Method |
NetID@txstate.edu + Password + Duo MFA |
NetID + Password + Duo MFA |
| User Info Shared |
Name, email, NetID, role info |
Name, email, NetID (basic info) |
| How Fast Access Changes Apply |
❌ Slower to reflect updates |
✅ Faster to reflect updates |
| Best Fit for Your Needs |
Good choice if advanced features like SCIM or restricting access based on group membership are needed. Setup may take longer and may involve more coordination. |
Faster to set up and currently the university’s preferred method. Best for straightforward integrations without advanced provisioning. |
Glossary of Key Terms
- Authentication: The process of verifying who a user is. At Texas State, this involves entering your NetID and password and completing Duo multi-factor authentication (MFA).
- Authorization: The process of determining what a user is allowed to access. For example, Entra ID can authorize access by checking whether a user belongs to a specific group. Shibboleth leaves authorization decisions up to the application itself.
- MFA (Multi-Factor Authentication): A security feature that requires users to provide two or more forms of identification when logging in. At Texas State, this means entering your NetID and password plus confirming your identity through Duo (such as with a mobile push or code).
- Identity Provider (IdP): The system that verifies a user’s identity. At Texas State, this is either Entra ID or Shibboleth. The IdP confirms who the user is and passes that information to the application (the service provider).
- Service Provider (SP): The application or website the user is trying to access — for example, a third-party software vendor or cloud service. The service provider relies on Texas State’s Identity Provider to confirm the user’s identity.
- InCommon Federation: A trusted network of colleges, universities, and service providers that use shared identity standards. If your vendor is part of the InCommon Federation, Shibboleth integration is often faster because trust relationships are already in place.
- SCIM (System for Cross-domain Identity Management): A system that allows Texas State to automatically create, update, or remove user accounts in a vendor’s application based on group membership. This helps ensure that access stays in sync without manual intervention.
Not all applications support SCIM — the vendor must have built this functionality into their product, which means SCIM availability depends on the application itself. Because SCIM adds functionality beyond a standard SAML connection, it can also make configuration more complex and may require more coordination with the vendor’s technical team.
- SAML (Security Assertion Markup Language): A widely used standard for Single Sign-On (SSO). It allows identity providers (like Texas State) to pass login and attribute information to external services in a secure way. Both Entra ID and Shibboleth support SAML connections.
- OIDC (OpenID Connect): A newer and more flexible authentication protocol built on top of OAuth 2.0. OIDC is often used in modern web applications and APIs. Entra ID supports OIDC, but Shibboleth does not.