exploring incommon getting started with incommon: creating your roadmap
TRANSCRIPT
Exploring InCommon
Getting Started with InCommon: Creating Your Roadmap
University of Oregon Identity Management Roadmap
– Deployed phase 1 of our Identity Management system in August 2007
– Deployed Shibboleth for intra-campus authentication/SSO and attribute delivery fall 2008
– Joined InCommon February 2010– Continuing to expand and refine IdM system
and starting to offer federated services
Identity Providers: IdM Prep - Policy
• *Review Participant Operating Practices (POP) to familiarize yourself with policies and practices your organization will need in joining a federation
• Ensure basic identity management policies are in place, including data stewardship and acceptable use policies
• *Define policies related to single sign-on (SSO) and authentication
• *Define and publish account creation and termination policies
• Define policies on log retention for identity management and provisioning
• Join InCommon– *Submit InCommon Participant Agreement
– *Once approved, designate your Executive and Administrator(s)
– Post your Participant Operational Practices (POP)– Submit metadata for your Identity Provider and/or
Service provider
Identity Provider: IdM Preparation – Business Practice Steps
• *Provision/de-provision accounts for your users (faculty, staff, and students) based on published policies
• Create problem resolution process for when users forget or lose passwords
• Create Help Desk support procedures for authentication problems and password changes
• *Create a process to address reports of abuse
Identity Provider: IdM Prep, Technical Step
• *Install/operate/manage the identity provider package of a SAML federating software system such as Shibboleth
IdP IdM Attribute Provisioning - Policy
• *Identify who governs the decision to release attributes
• Develop policy governing use of your attributes by service providers such as attribute retention, sharing, etc.
• Consider setting up tiers or groups of attribute release policies for different categories of service providers
IdP IdM Attribute Provisioning – Business Practice
• * Identify who is responsible for editing/implementing the attribute release policies
• Define process a service provider would use to request attributes and the process used to respond to the request
• Define process to follow when a service provider requests an attribute that is not currently available as defined by the policy above
• * Define problem escalation procedure if identity information is released in conflict with organization policies
IdP IdM Attribute Provisioning – Technical Steps
• *Extend directory and/or person registry schemas if needed to support eduPerson
• Configure the identity provider attribute resolver for the appropriate sources