Federated Identity Service - Service Policy and Guidelines

Federated Identity Requests

Any campus web application provider, whether the application is a campus custom application or an externally hosted web application, that can accept and exchange properly formed Shibboleth or Security Assertion Markup Language (SAML) metadata, may request Federated Identity Service authentication.

Requests will be granted based on the following:

The ability of the web application to properly interact with Federated Identity Service.
The nature of the data attributes requested with the authentication.
- Requests that require only opaque identifiers and personalization directory data contained in Federated Identity Service Digital ID Card attributes will be processed and approved for any reasonable service offering
- Requests for attributes that include role identifiers, contact information, affiliation, or other privacy sensitive information, will require additional analysis and approval. Campus security, legal, contracting, privacy, and data owner authorities may be engaged as appropriate to approve attribute release.
- Additional directory data attributes can be made available to Federated Identity Service given sufficient business requirements. Adding additional attributes will require appropriate data owner and custodian approval, time to test and integrate these attributes into Federated Identity Service, and to update service documentation.
The appropriateness of Federated Identity Service as a solution for the stated objective and web application.
Agreement to abide by the conditions and guidelines of the service.
The ability to identify a responsible service owner and technical contact for the Federated Identity Service enabled service.

Conditions and Guidelines

Business Value: The request must demonstrate business value reasonably commensurate with the mission and objectives of the University of Colorado Boulder.
University Policy: The service request must comply with the expectations of university and campus policy, particularly security, privacy, information technology and data protection policies.
- Any failure of the service to appropriately protect service data or abide to university and campus policy is grounds for immediate termination of Federated Identity Service service.
- OIT reserves the right to temporarily suspend service for properly delivered legal or security requests.
- OIT will restrict release of metadata and attribute release information to appropriate university authorities, in response to legal or law-enforcement requests, to the Federated Identity Service user for approval, or to the named service and technical contacts.
Renewal: All Federated Identity Service services will require at least annual confirmation of service request data to ensure access is still required and that contact information is current and viable.
Attribute Source: Data attributes will be provided per their source system or directory definition. The data attributes will not be transformed or enriched to suit any particular application requirement other than creating scoped identifiers.
Compatibility: All requesting services must maintain technical compatibility with the current supported version of Shibboleth, SAML, and any other Federated Identity Service technology or standard. OIT will endeavor to maintain supportable and up-to-date versions of the supporting technologies and will announce any significant upgrades or changes in advance to Federated Identity Service service providers.
Right of Refusal: OIT reserves the right to refuse support for services that are not compliant with the currently implemented Shibboleth release or supported SAML versions. Requests that are not compliant may become strategic service considerations, but cannot conflict with the ongoing interests of current Federated Identity Service service providers.
InCommon: Federated Identity Service is offered as an InCommon compliant service under the terms, agreements, and policies of the InCommon Federation. Preference will be given to requests that are for registered InCommon providers who appear on the InCommon participant list and have agreed to abide by the operating principles of InCommon. Membership in InCommon by service providers is not necessary, but familiarity with and adoption of InCommon participation guidelines is recommended.
- Annual campus membership dues paid by OIT provide licenses allowing custom campus services to participate in the InCommon federation.
Participant Operating Practices: Federated Identity Service is offered under the constraints identified in OIT’s InCommon Participant Operating Practices. All service providers acknowledge and are constrained by these practices.
Privacy: All end user service provider applications are subject to attribute release approval without exception in order to support personal privacy management and “privacy flag” elections for service customers.
Application Service Provider: All risks and consequences resulting from the use of the Federated Identity Service enabled application are the responsibility of the university service provider. Federated Identity Service is not accountable for application failures including performance issues, data loss, test identities, or functionality limitations.
- SSO: Federated Identity Service enables Single-Sign-On (SSO) with other Federated Identity Service enabled services. The consequences of this SSO are the service provider’s. In some cases SSO may not be a desirable outcome for a given application service. Alternative authentication technologies utilizing LDAP or custom token-exchange approaches may be required.
Service Provider Responsibilities:
- Service Contact Information: All Federated Identity Service application requests must include, and service providers must maintain application contact information for service communication, incident and problem resolution.
- Technical Contact Information: All Federated Identity Service application requests must include and maintain an application technical contact by role or name. Sufficient contact information is required and must be kept current.
- Service Contracts and Agreements: All participants must respect the legal and organizational privacy constraints on attribute information provided through the Federated Identity Service exchange. The application service owner is responsible to ensure compliance by service providers through appropriate contractual agreements, monitoring or review, or alternative control mechanisms.
- Attribute Release: Attribute release policies may be altered at any time by OIT in accordance with changes in attribute source systems and university policies. The application service owner is responsible to coordinate any resulting impact with their service provider.
- Appropriate Use: Service providers are trusted to request only the information necessary to make an appropriate access control decision. Information exchanged between Federated Identity Service and application service providers may not be retained or used for any purpose other than
  - managing the authentication process,
  - delivering authorization attributes,
  - establishing identity or personalization attributes, or
  - maintaining the viability of the service.
  Any use of Federated Identity Service information that results in unsolicited information requests, unrelated service offerings, or any transfer of data by the provider to third parties for reasons other than maintaining and operating the intended service is prohibited. Violation of this prohibition may be grounds for immediate termination of Federated Identity Service services.
OIT Support: OIT will support the initial service configuration and metadata exchange. OIT will assist in validating authentication and attribute release. All other support and service issues belong to the application service owner and must be resolved through the application service owner. OIT will assist the technical contact in a best effort fashion with any issues related to the data exchange, release, or metadata once a viable data release/exchange has been validated.
Federated Identity Service Change Management: OIT will communicate any significant changes to version level, service impacting changes, or attribute definitions changes, to Federated Identity Service service application providers in a timely fashion. Application service provider contacts will be responsible to coordinate any service implications with their technical contacts and service providers. Federated Identity Service will operate with a weekly service window from 5:00am to 6:00am each Tuesday to implement planned changes or corrective actions. Temporary disruptions to service or any planned down-time maintenance will occur during this window.

KEY TERMS:

Federation: An association of independent organizations, each governed by its own institutions. The InCommon federation serves the U.S. education and research communities, supporting a common framework for trusted shared management of access to on-line resources.

Identity Provider (IdP): Is a service capable of authenticating users and releasing specific attributes to service providers.

Service Owner/Service Contact: A campus person representing the entity providing and responsible for the web application. This is a person identified with the service. All web application service and support requests or incidents that do not relate to Shibboleth authentication or attribute release will be directed to this person.

Service Provider (SP): 1. Refers to the university entity providing or facilitating a web application as a service. Service providers control access to their protected resources. 2. Service Provider can also refer to the application resource that interacts with an Identity Provider to enable federated authentication and attribute exchange.

Technical Contact: A contact by role or name that can assist with data exchange and service provider incident or problem resolution.

Web Application: A software application utilizing the Internet (World Wide Web) and common browser technologies to deliver service.