100 likes | 112 Vues
Learn how to navigate the process of creating an identity management roadmap with the University of Oregon's experience in deploying and refining their IdM system and offering federated services.
E N D
Exploring InCommon Getting Started with InCommon: Creating Your Roadmap
University of Oregon Identity Management Roadmap • Deployed phase 1 of our Identity Management system in August 2007 • Deployed Shibboleth for intra-campus authentication/SSO and attribute delivery fall 2008 • Joined InCommon February 2010 • Continuing to expand and refine IdM system and starting to offer federated services
Identity Providers: IdM Prep - Policy • *Review Participant Operating Practices (POP) to familiarize yourself with policies and practices your organization will need in joining a federation • Ensure basic identity management policies are in place, including data stewardship and acceptable use policies • *Define policies related to single sign-on (SSO) and authentication
*Define and publish account creation and termination policies • Define policies on log retention for identity management and provisioning • Join InCommon • *Submit InCommon Participant Agreement • *Once approved, designate your Executive and Administrator(s) • Post your Participant Operational Practices (POP) • Submit metadata for your Identity Provider and/or Service provider
Identity Provider: IdM Preparation – Business Practice Steps • *Provision/de-provision accounts for your users (faculty, staff, and students) based on published policies • Create problem resolution process for when users forget or lose passwords • Create Help Desk support procedures for authentication problems and password changes • *Create a process to address reports of abuse
Identity Provider: IdM Prep, Technical Step • *Install/operate/manage the identity provider package of a SAML federating software system such as Shibboleth
IdP IdM Attribute Provisioning - Policy • *Identify who governs the decision to release attributes • Develop policy governing use of your attributes by service providers such as attribute retention, sharing, etc. • Consider setting up tiers or groups of attribute release policies for different categories of service providers
IdP IdM Attribute Provisioning – Business Practice • * Identify who is responsible for editing/implementing the attribute release policies • Define process a service provider would use to request attributes and the process used to respond to the request • Define process to follow when a service provider requests an attribute that is not currently available as defined by the policy above
* Define problem escalation procedure if identity information is released in conflict with organization policies
IdP IdM Attribute Provisioning – Technical Steps • *Extend directory and/or person registry schemas if needed to support eduPerson • Configure the identity provider attribute resolver for the appropriate sources