Allows campuses take advantage of University-wide federated ide
University of California
Federated Identity Management Criteria
Allows campuses take advantage of University-wide federated ide
The purpose of the following questions is to describe how the campus defines and establishes electronic identities for persons associated with the campus and who need to make use of on-line resources managed by the campus. The answers will help establish a basis for the use of federated identity management among UC campuses and the Office of the President.

An "electronic identity" is a set of information that is maintained about an individual in campus databases. One or more "identity credentials" associated with this identity information are issued to the person who is the subject of an information record to enable that person to gain access to applications or other resources that need to control such access. The glossary below defines additional terms as they are used in this document.

I. Community and Eligiblity
  1. Who is eligible to be given an electronic identity (Campus NetID)?
  2. What office(s) are authoritative to determine or verify the eligibility of specific individuals?

II. Initial Identification and Authorization process
  1. What physical credentials are required to prove identity and eligible affiliation with the institution?
  2. How many specific credentials are required to establish proof of identification, such as one or more photo ID?
  3. If the person might be already in the campus identity database, how is a physical identity associated with existing electronic information?
  4. What elements in the identity database may be used to verify that a physical person properly may be associated with a specific database record, e.g. SSN, DOB, EmpID, SID, etc.
  5. Do the campus use web-based or in-person registration? How does this choice affect the reliability or the allowable use of campus electronic identities?
  6. Is there post-registration notification to the subject to confirm registration?

III. Electronic identity credentials
  1. What technologies are used to create and manage campus electronic identity credentials?
  2. How is the personal secret associated with the identity credential given to the credential subject?
  3. How reliable do you consider the electronic identity credential(s) to be, e.g. userid/passwords vs. Kerberos vs. smart cards vs. . . .
  4. Are multiple electronic identity credentials associated with a Campus NetID? If so, do they represent different levels of reliability or robustness?
  5. Are different electronic identifiers used for different applications and, if so, how are these identifiers associated with each other (if at all)?
  6. Do you allow sharing of Campus NetIDs or identity credentials?
  7. Can a Campus NetID or other electronic identifier be reissued to a different person? If so, after what period of time?
  8. How are lost or compromised electronic identity credentials dealt with?
  9. What controls exist to revoke an electronic identity or associated privileges?

IV. Management of identity information
  1. Who or what office is authoritative for the campus's electronic identity data?
  2. How is the identity database populated initially?
  3. How are data updates managed or controlled?
  4. If more than one database is used for campus applications, how are they synchronized?
  5. What rules govern the release of this information (who gets to see what?)
  6. What rules govern the use of identity information by applications or third parties?

V. Management of Access to applications
  1. Are campus electronic credentials used to gain access to most resources and applications or do some still require application-specific authentication & authorization?
  2. Are campus electronic credentials used to access each application separately or is there a "single sign on" (SSO) system available?
  3. Is access to primary campus applications enabled though a common portal? If so, is the portal allowed to assert a person's electronic identifier to gain access to an application, e.g. calendar or email?
  4. If an SSO is used, can the same SSO be used to gain access to administrative applications, e.g. personnel/payroll, as well as to personal applications, e.g. email or calendar?
  5. If an SSO is used, do applications processing sensitive information require an additional credential?
  6. If an SSO is used, how are time outs or re-authentication to sensitive applications managed?


Glossary

electronic identity

A set of information that is maintained about an individual, typically in campus identity databases. May include roles and privileges as well as personal information. The information must be authoritative to the applications for which it will be used.

electronic identifier

A string of characters or structured data that may be used to reference an electronic identity. Examples include an email address, a user account name, a Kerberos principal name, a UC or campus NetID, an employee or student ID, or a PKI certificate.

personal secret

Used in the context of this document, is synonymous with password, passphrase or PIN. It enables the holder of an electronic identifier to confirm that s/he is the person to whom the identifier was issued.

identity credential

An electronic identifier and corresponding personal secret associated with an electronic identity. An identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access.

NetID

An electronic identifier created specifically for use with on-line applications, often an integer and typically with no other meaning. If created by the campus it is referred to here as CampusNetID. If created at UCOP from the University Directory, it is referred to here ast the UCNetID.

identity database

A structured collection of information pertaining to a given individual. Sometimes referred to as an "enterprise directory." Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database or set of linked relational databases.

authentication

The process by which a person verifies or confirms their association with an electronic identifier. For example, entering a password that is associated with an UserID or account name.

authorization

The process or determining a specific person's eligibility to gain access to an application or function, or to make use of a resource.

attribute

A single piece of information associated with an electronic identity database record. Some attributes are general; others are personal. Some subset of all attributes defines a unique individual.