Changes between Version 1 and Version 2 of UAInCPOP.html


Ignore:
Timestamp:
06/20/11 14:45:27 (10 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • UAInCPOP.html

    v1 v2  
    33 
    44  
    5 Participation in the InCommon Federation (“Federation”) enables a federation participating organization ("Participant") to use Shibboleth identity attribute sharing technologies to manage access to on-line resources that can be made available to the InCommon community.  One goal of the Federation is to develop, over time, community standards for such cooperating organizations to ensure that shared attribute assertions are sufficiently robust and trustworthy to manage access to important protected resources.  As the community of trust evolves, the Federation expects that participants eventually should be able to trust each other's identity management systems and resource access management systems as they trust their own.  
    6   
    7  
    8  
    9 A fundamental expectation of Participants is that they provide authoritative and accurate attribute assertions to other Participants, and that Participants receiving an attribute assertion protect it and respect privacy constraints placed on it by the Federation or the source of that information.  In furtherance of this goal, InCommon requires that each Participant make available to other Participants certain basic information about any identity management system, including the identity attributes that are supported, or resource access management system registered for use within the Federation. 
     5Participation in the !InCommon Federation (“Federation”) enables a federation participating organization ("Participant") to use Shibboleth identity attribute sharing technologies to manage access to on-line resources that can be made available to the !InCommon community.  One goal of the Federation is to develop, over time, community standards for such cooperating organizations to ensure that shared attribute assertions are sufficiently robust and trustworthy to manage access to important protected resources.  As the community of trust evolves, the Federation expects that participants eventually should be able to trust each other's identity management systems and resource access management systems as they trust their own.  
     6  
     7 
     8 
     9A fundamental expectation of Participants is that they provide authoritative and accurate attribute assertions to other Participants, and that Participants receiving an attribute assertion protect it and respect privacy constraints placed on it by the Federation or the source of that information.  In furtherance of this goal, !InCommon requires that each Participant make available to other Participants certain basic information about any identity management system, including the identity attributes that are supported, or resource access management system registered for use within the Federation. 
    1010  
    1111 
     
    1515 
    1616 
    17 InCommon expects that Service Providers, who receive attribute assertions from another Participant, respect the other Participant's policies, rules, and standards regarding the protection and use of that data.  Furthermore, such information should be used only for the purposes for which it was provided.  InCommon strongly discourages the sharing of that data with third parties, or aggregation of it for marketing purposes without the explicit permission[1] of the identity information providing Participant.  
     17!InCommon expects that Service Providers, who receive attribute assertions from another Participant, respect the other Participant's policies, rules, and standards regarding the protection and use of that data.  Furthermore, such information should be used only for the purposes for which it was provided.  !InCommon strongly discourages the sharing of that data with third parties, or aggregation of it for marketing purposes without the explicit permission[1] of the identity information providing Participant.  
    1818  
    1919 
     
    2222 
    2323=== 1.  Federation Participant Information === 
    24 1.1     The InCommon Participant Operational Practices information below is for: 
    25  
    26 InCommon Participant organization name   ''University of Alaska'' 
     241.1     The !InCommon Participant Operational Practices information below is for: 
     25 
     26!InCommon Participant organization name   ''University of Alaska'' 
    2727 
    2828The information below is accurate as of this date   ''2009-02-20'' 
     
    3434URL(s)    
    3535 
    36 UA Board of Regents Policy and University Regulation:  
    37 http://www.alaska.edu/bor/policy-regulations/                                            
    38  
    39 UA Student & Enrollment Services documentation on FERPA compliance: 
    40 http://www.alaska.edu/studentservices/ferpa/ 
     36 UA Board of Regents Policy and University Regulation:  
     37  http://www.alaska.edu/bor/policy-regulations/                                            
     38 
     39 UA Student & Enrollment Services documentation on FERPA compliance: 
     40  http://www.alaska.edu/studentservices/ferpa/ 
    4141 
    4242  
     
    8888''Contact UA OIT Chief Information Security Officer Kerry Digou, sxkmd@email.alaska.edu or UA OIT Chief Information Architect David Bantz, Q@alaska.edu'' 
    8989 
    90 2.6  If you support a “single sign-on” (SSO) or similar campus-wide system to allow a single user authentication action to serve multiple applications, and you will make use of this to authenticate people for InCommon Service Providers, please describe the key security aspects of your SSO system including whether session timeouts are enforced by the system, whether user-initiated session termination is supported, and how use with “public access sites” is protected.  
    91  
    92 ''UA’s central authentication service for web-based applications is not strictly speaking an SSO service; each application requests authentication.  However, it is possible to authenticate to the service itself and then launch multiple subscribing services without explicitly re-authenticating.  This SSO-like function will not be used for or available to InCommon Service Providers. Session time-outs are not in place.  Sessions are terminated with close of browser window(s) for that service.   ''        
     902.6  If you support a “single sign-on” (SSO) or similar campus-wide system to allow a single user authentication action to serve multiple applications, and you will make use of this to authenticate people for !InCommon Service Providers, please describe the key security aspects of your SSO system including whether session timeouts are enforced by the system, whether user-initiated session termination is supported, and how use with “public access sites” is protected.  
     91 
     92''UA’s central authentication service for web-based applications is not strictly speaking an SSO service; each application requests authentication.  However, it is possible to authenticate to the service itself and then launch multiple subscribing services without explicitly re-authenticating.  This SSO-like function will not be used for or available to !InCommon Service Providers. Session time-outs are not in place.  Sessions are terminated with close of browser window(s) for that service.   ''        
    9393 
    94942.7  Are your primary electronic identifiers for people, such as “net ID,” eduPersonPrincipalName, or eduPersonTargetedID considered to be unique for all time to the individual to whom they are assigned?  If not, what is your policy for re-assignment and is there a hiatus between such reuse? 
     
    218218identity management system:: A set of standards, procedures and technologies that provide electronic credentials to individuals and maintain authoritative information about the holders of those credentials. 
    219219 
    220 Identity Provider:: A campus or other organization that manages and operates an identity management system and offers information about members of its community to other InCommon participants. 
     220Identity Provider:: A campus or other organization that manages and operates an identity management system and offers information about members of its community to other !InCommon participants. 
    221221 
    222222NetID:: An electronic identifier created specifically for use with on-line applications. It is often an integer and typically has no other meaning.  
     
    224224personal secret (also verification token):: Used in the context of this document, is synonymous with password, pass phrase or PIN.  It enables the holder of an electronic identifier to confirm that s/he is the person to whom the identifier was issued. 
    225225 
    226 Service Provider:: A campus or other organization that makes on-line resources available to users based in part on information about them that it receives from other InCommon participants. 
     226Service Provider:: A campus or other organization that makes on-line resources available to users based in part on information about them that it receives from other !InCommon participants. 
    227227 
    228228