Information Technology Services

Incommon Federation: Participant Operational Practices

1. Identification Information
   1. Participant identification
      1. Organization's name: The University of North Carolina at Greensboro
   2. Additional information URL (a link to additional information pertaining to identity management and/or privacy policies regarding the use of personal information)
      • Security of Networks and Networked Data
      • FERPA Information
      • Data Classification
   3. Executive Contact Information - An individual responsible for answering questions about the participants identity management system or resource access management policy or practice.
      1. Name: Susan Hensley
      2. Title / Role: Assistant Vice Chancellor of ITS Systems
      3. Email Address: susanhensley@uncg.edu
      4. Phone: 336-334-3292
      5. Fax:
   4. Technical Contact Information - An individual responsible for answering and monitoring day-to-day operations of the identity provider.
      1. Name: Rob Gorrell
      2. Title / Role: Network Engineer
      3. Email Address: rwgorrel@uncg.edu
      4. Phone: 336-334-5954
      5. Fax:
2. Identity Provider Information - The most critical responsibility that an Identity Provider participant has to the Federation is to provide trustworthy and accurate identity assertions. Each service provider must know how these electronic identity credentials are issued and the reliability of the information associated with a given credential.
   1. Community Membership
      1. Electronic Identity - How do you define the set of people who are eligible to receive an electronic identity?
         Admitted students, Employees of the university, Employees may sponsor an account but retain responsibility for its use
         
      2. Member of Community - This is an assertion that might be offered to enable access to resources made available to individuals who participate in the primary mission of the university or organization. For example, this assertion might apply to anyone whose affiliation is "current student, faculty, or staff."
         What subset of persons registered in your identity management system would you identify as a "Member of Community" in Shibboleth identity assertions to other participants? Please specifically consider individuals who engage in sponsored research when answering this question.
         All members of the community would have the assertion – it is based on their affiliation with the university. Currently, staff, faculty, student, retired, emeritus, other, and istudent.
   2. Electronic Identity Credentials
      1. Establishment - Please describe in general terms the administrative process used to establish an electronic identity that results in a record for that person being created in your electronic identity database? Please identify the office(s) of record for this purpose. For example, "Registrar's Office for students; HR for faculty and staff." Please specifically consider individuals who engage in sponsored research when answering this question.
         Students - Admitted students – admissions office; Registered students – Registrar's office
         SPA HR office – staff; EPA HR office - faculty
         
      2. Credential Type(s) - What technologies are used for your electronic identity credentials (e.g., Kerberos, userID/password, PKI, etc.) that are relevant to Federation activities? If more than one type of electronic credential is issued, how is it determined who receives which type? If multiple credentials are linked, how is this managed and recorded?
         UNCG creates a single, unique userID for each user. This is used in a variety of applications and while SSO is not in use, synchronization of passwords for most platforms is available. These userIDs are managed by a UNCG developed system – CSAM which is an extension of Banner.
         
      3. Password - If your electronic identity credentials require the use of a secret password or PIN, the following questions are applicable.
         1. Encryption - Are there circumstances in which that secret would be transmitted across a network without being protected by encryption (i.e., "clear text passwords" are used when accessing campus services), please identify who in your organization can discuss with any other Participant concerns that this might raise for them.
            There are a few instances where encryption is not being used. Pls address all inquires to Susan Hensley.
         2. Strength - What policies and rules are in place to ensure passwords relevant to Federation activities are sufficiently strong and effective against guessing and brute force attacks?
            The password rules are minimum 8 characters with at least 1 numeric value and cannot start with a number.
            
         3. Change Frequency - How often are users required to change passwords that are relevant to Federation activities? How are these durations enforced?
            The password used for Shibboleth is required to be changed every 90 days.
      4. Single Sign On - If you support a "single sign-on" (SSO) or similar campus-wide system to allow a single user authentication action to serve multiple applications, and you will make use of this to authenticate people for Federation Service Providers, please describe the key security aspects of your SSO system including whether session timeouts are enforced by the system, whether user-initiated session termination is supported, and how use with "public access sites" is protected.
         We do not have an SSO in use at this time.
         
      5. Uniqueness - Are your primary electronic identifiers for people, such as "net ID," eduPersonPrincipalName, or eduPersonTargetedID considered to be unique for all time to the individual to whom they are assigned? If not, what is your policy for re-assignment and is there a hiatus between such reuse?
         UserID is unique and managed by the CSAM service. TargetID is also unique.
         
      6. Example Applications - Please identify typical classes of applications for which your electronic identity credentials are used within your own organization.
         Those using our current LDAP authentication system are:
         • Blackboard CMS system
         • Web based email
         • UNCG VCL implementation at NCSU
         • UNCG RAMSeS implementation at UNCCH
         • Banner file upload directory access
         • General UNIX login
         • Novell general login
   3. Electronic Identity Database
      1. Creation & Management - How is information in your electronic identity database acquired and updated? Are specific offices designated by your administration to perform this function? Are individuals allowed to update their own information on-line?
         Names and University affiliation are managed by the office identified in item 2.1 within our Banner ERP system.
         
      2. Public Information - What information in this database is considered "public information" and would be provided to any interested party?
         Below are websites which explicitly define what is considered public information -
         • Students: FERPA Release of Student Information
         • Employees: University Directory Information
   4. Attribute Assertions - Would you consider your attribute assertions to be reliable enough to:
      • Control access to on-line information databases licensed to your organization?
        Yes, but possibly not granular enough
        
      • Be used to purchase goods or services for your organization?
        Yes, but possibly not granular enough
        
      • Enable access to personal information such as student loan status?
        Yes
   5. Privacy Policy - Federation Participants must respect the legal and organizational privacy constraints on attribute information provided by other Participants and use it only for its intended purposes.
      1. Restrictions - What restrictions do you place on the use of attribute information that you might provide to other Federation participants?
         It depends on the participants – each will be analyzed on a case by case basis.
         
      2. Release Policy - What policies govern the use of attribute information that you might release to other Federation participants? For example, is some information subject to FERPA or HIPAA restrictions?
         It depends on the participants – each will be analyzed on a case by case basis. Depends on the purpose of the consumer of the attributes and information.