Exploring InCommon

Getting Started with InCommon: Creating Your Roadmap

University of Oregon Identity Management Roadmap

– Deployed phase 1 of our Identity Management system in August 2007

– Deployed Shibboleth for intra-campus authentication/SSO and attribute delivery fall 2008

– Joined InCommon February 2010– Continuing to expand and refine IdM system

and starting to offer federated services

Identity Providers: IdM Prep - Policy

• *Review Participant Operating Practices (POP) to familiarize yourself with policies and practices your organization will need in joining a federation

• Ensure basic identity management policies are in place, including data stewardship and acceptable use policies

• *Define policies related to single sign-on (SSO) and authentication

• *Define and publish account creation and termination policies

• Define policies on log retention for identity management and provisioning

• Join InCommon– *Submit InCommon Participant Agreement

– *Once approved, designate your Executive and Administrator(s)

– Post your Participant Operational Practices (POP)– Submit metadata for your Identity Provider and/or

Service provider

Identity Provider: IdM Preparation – Business Practice Steps

• *Provision/de-provision accounts for your users (faculty, staff, and students) based on published policies

• Create problem resolution process for when users forget or lose passwords

• Create Help Desk support procedures for authentication problems and password changes

• *Create a process to address reports of abuse

Identity Provider: IdM Prep, Technical Step

• *Install/operate/manage the identity provider package of a SAML federating software system such as Shibboleth

IdP IdM Attribute Provisioning - Policy

• *Identify who governs the decision to release attributes

• Develop policy governing use of your attributes by service providers such as attribute retention, sharing, etc.

• Consider setting up tiers or groups of attribute release policies for different categories of service providers

IdP IdM Attribute Provisioning – Business Practice

• * Identify who is responsible for editing/implementing the attribute release policies

• Define process a service provider would use to request attributes and the process used to respond to the request

• Define process to follow when a service provider requests an attribute that is not currently available as defined by the policy above

• * Define problem escalation procedure if identity information is released in conflict with organization policies

IdP IdM Attribute Provisioning – Technical Steps

• *Extend directory and/or person registry schemas if needed to support eduPerson

• Configure the identity provider attribute resolver for the appropriate sources