The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.
The Andrew W. Mellon Foundation
- Former user (Deleted)
Stage 1: Intra-campus Web Single Sign-on - Central Identity Provider
Task |
Limited Scope ....................................... |
Broader Scope .......................................... |
|---|---|---|
Policy Steps |
 |
 |
1. Define who establishes various policies related to single sign-on (SSO) and authentication |
 |
 |
2. Have basic identity management policies in place, including data and service stewardship responsibilities and use of the system |
 |
 |
3. Have policy in place specifying whether NONE/SOME/ALL campus authenticated web sites are REQUIRED to use the central web single sign-on system |
 |
 |
Business Practice Steps |
 |
 |
4. Create Help desk support for users encountering problems accessing central web sites protected by SSO |
 |
 |
5. Reliably issue credentials to on-campus faculty/staff/students |
 |
 |
6. Create Help desk support for users encountering problems accessing department web sites protected by SSO |
 |
 |
Technical - Basic Identity and Access ManagementSteps |
 |
 |
7. Provision/de-provision accounts for and authenticate on-campus faculty, staff, and students |
 |
 |
8. Provision/de-provision accounts for and authenticate other constituencies (e.g. applicants, alums, affiliates) |
 |
 |
Technical - Shibboleth software Steps |
 |
 |
9. Install/operate/manage Shibboleth identity provider software |
 |
 |
Stage 1: Intra-campus Web Single Sign-on - Central and Department Service Providers
Task |
Limited Scope ....................................... |
Broader Scope .......................................... |
|---|---|---|
Policy steps |
 |
 |
10. Define how often service providers should refresh their metadata |
 |
 |
11. Promulgate policy describing process and constraints when a service provider is compromised |
 |
 |
12. Define minimum operational and environmental requirements for the remote server/application |
 |
 |
13. Define policies on log retention at service providers |
 |
 |
Business practice steps |
 |
 |
14. Create process to register a new service providers (e.g. site inspection requirements) |
 |
 |
15. Create problem resolution process for when users cannot access department-supported service provider |
 |
 |
16. Create process for service providers to report abuse of their site (e.g. such as by anonymous users) |
 |
 |
Technical - Basic Identity and Access Management Steps |
 |
 |
17. Provide technical support to department service provider sites, including documentation describing the web SSO service (description, process to participate, etc) |
 |
 |
Technical - Shibboleth Software Steps |
 |
 |
18. Manage the metadata describing service providers and provide mechanism for distribution |
 |
 |
19. Choose approach to PKI trust within the campus federation (rooted, self-signed) |
 |
 |
20. Provide installation instructions, configuration files and other local files (e.g. error pages, logos ) customized to the campus for the department sysadmins |
 |
 |
Stage 2: Attribute Delivery - Central Identity Provider
Task |
Limited Scope ....................................... |
Broader Scope .......................................... |
|---|---|---|
Policy steps |
 |
 |
21. Identify attribute source systems and define and describe the set of attributes that are available |
 |
 |
22. Identify who governs the decision to release attribute X to service provider Y |
 |
 |
23. Develop policy defining, in a general way, which services are eligible to receive which attributes |
 |
 |
24. Achieve buy in to attribute release process from Identity stakeholders |
 |
 |
Business Practice Steps |
 |
 |
25. Define problem escalation procedure, such as when the wrong attributes are sent to a service provider |
 |
 |
26. Define process to follow when a service provider requests an attribute that is not currently available as defined by the policy above |
 |
 |
Technical - Basic Identity and Access Management Steps |
 |
 |
27. Maintain a minimal set of attributes describing each user |
 |
 |
28. Populate eduPerson attributes for each user |
 |
 |
29. Manage entitlement values on user objects |
 |
 |
30. Provide support for groups in the local directory and configure Shibboleth to use them |
 |
 |
Technical - Shibboleth Software Steps |
 |
 |
31. Configure the identity provider attribute resolver for the appropriate sources |
 |
 |
32. Identify who is responsible for editing/implementing the attribute release policies |
 |
 |
Stage 2: Attribute Delivery - Central and Department Service Providers
Task |
Limited Scope ....................................... |
Broader Scope .......................................... |
|---|---|---|
Policy steps |
 |
 |
33. Develop policy governing use of attributes by service providers such as attribute retention, sharing, etc. |
 |
 |
Business Practice Steps |
 |
 |
34. Define process a service provider would use to request attributes and the process used to respond to the request |
 |
 |
Technical - Shibboleth Software Steps |
 |
 |
35. Document how a service provider's web server could authorize users given the provided attributes |
 |
 |
36. Document how an application could use the supplied attributes in alternative ways, such as for customization or form completion |
 |
 |
Stage 3: Inter-campus Federation - Central Identity Provider
Task |
Limited Scope ....................................... |
Broader Scope .......................................... |
|---|---|---|
Policy steps |
 |
 |
37. Ensure compliance with federation policies |
 |
 |
38. Publish identity management and identification and authentication practice, if required |
 |
 |
Business practice steps |
 |
 |
39. Define process for a) a department requesting an attribute release policy referring to a remote site, and b) central IT reviewing, creating, and managing the attribute release policy |
 |
 |
40. Define help desk process for when user encounters a problem accessing service providers |
 |
 |
Technical - Basic Identity and Access Management Steps |
 |
 |
41. Ensure compliance with federation attribute practice |
 |
 |
Technical - Shibboleth Software and Federation Requirements Steps |
 |
 |
42. Follow technical steps to join the desired federation |
 |
 |
43. Configure identity provider software to use federation metadata and credentials and refresh when required |
 |
 |
Stage 3: Inter-campus Federation - Central and Department Service Providers
Task |
Limited Scope ....................................... |
Broader Scope .......................................... |
|---|---|---|
Policy steps |
 |
 |
44. Ensure SP is compliant with federation policies |
 |
 |
Business Practice |
 |
 |
45. Ensure service provider has defined problem resolution process for remote users |
 |
 |
46. Create process for department service provider to ask to be added to federation metadata |
 |
 |
Technical - Shibboleth Software and Federation Requirements |
 |
 |
47. Add service provider information to the federation metadata |
 |
 |
48. Configure service provider software to use federation metadata and credentials and refresh when required |
 |
 |