1. Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley

2. “Identity Management System”  Suite of campus-wide security, access, and information services Integrates data sources and manages information about people and their contact locations Establishes electronic identity of users Issues electronic identity credentials Uses administrative data and management tools to assign affiliation and other authoritative attributes – these may imply eligibility to use certain resources …and (eventually) may define explicit permissions to use services and/or applications

3. Know your environment: Guiding Questions  Is campus governance centralized or distributed?  How has central administration demonstrated commitment to policy leadership?  What partnerships are in place to support policy development among, e.g., IT, Legal, internal audit, police, Student Affairs?  Are there best practices already defined for your campus? Processes to create best practices?  Are there existing policies that just need to be interpreted to cover the e-World?  What resources are available to support policy development and implementation?  Who needs to talk with whom?

4. Participant Operational Practices  A goal of the InCommon Federation is to develop, over time, community standards for cooperating organizations to ensure that shared identity assertions are sufficiently robust to manage access to important protected resources.  In furtherance of this goal, InCommon requires that each participant make available to other participants certain basic information about their identity management system.

5. 1.Participant Information Contact person - office or person who can answer questions URL(s) leading to ID management and/or privacy policies

6. Participant’s Community  Who might qualify for an identity in your system?  What subset of the above would you assert are eduPersonAffiliation “Member of Community”?

7. Authentication Policies & Practices  Process of creating an electronic identity  Types of electronic credentials issued  Are clear text passwords used?  Is a Single Sign-On system used?  Uniqueness or persistence of “netID”s Note: new eduPersonTargetedID are defined as persistent over time

8. Electronic Identity Database  How is the ID database (directory) managed? Initial creation and population of records Changes or updates  What information is considered “public”? Would be given to “default” targets

9. Your Uses of Your ID Credentials  For what classes of applications are your ID credentials used within your organization?

10. Attribute Assertions  Would you consider your identity assertions to be reliable enough for Control of access to on-line licensed information? Purchase of goods and services for your organization? Management of access to personal information such as student loan status?

11. Privacy & Use of Information Participants must respect any legal and other constraints that may apply and use information only for its intended purpose  What restrictions do you place on use of information you provide?  What policies or legal constraints apply?  What use do you make of information you receive

12. Technical Standards Identify the version of Internet2 Shibboleth code release that you are using or, if not using the standard Shibboleth code, what version(s) of the SAML and SOAP and any other relevant standards you have implemented for this purpose.

13. Other Considerations Are there any other considerations or information that you wish to make known to other InCommon Federation participants with whom you might interoperate, e.g., concern about the use of clear text passwords or responsibilities in case of a security breach involving identity information you may have provided?

14. Authenticate locally, Act federally  For general information http://incommon.internet2.edu http://www.incommonfederation.org  For participation information incommon-info@internet2.edu