Attribute Release Policy for Web Single Sign-On (SSO)
February 2018
1.0 Purpose
The purpose of this SSO policy is to establish currIQūnet’s requirements for single sign-on attribute release, in order to provide ease of use, federation, and awareness relative to the use of personal identity data for authentication, and to maximize the security of identity data while minimizing its misuse or theft.
2.0 Background
currIQūnet Solutions, LLC DBA Acadea collects and stores information for its clients, namely educational institutions, including data about the client’s faculty such as username, department, system privileges, role, etc. currIQūnet Solutions, LLC DBA Acadea has established the protections necessary to maintain the privacy of all connected to currIQūnet Solutions, LLC DBA Acadea, and to maintain compliance with all regulatory mandates on storing and using private information. This Attribute Release Policy is targeted only for single sign-on, and falls under the general provisions of the currIQūnet Solutions, LLC DBA Acadea Privacy Policy.
It is important for the currIQūnet Solutions, LLC DBA Acadea community to know that currIQūnet Solutions, LLC DBA Acadea receives identifying information, or “attributes”, from others. The ability to share such information allows for seamless and secure access to the web pages provided by currIQūnet Solutions, LLC DBA Acadea without further authentication of the user.
currIQūnet Solutions, LLC DBA Acadea has announced itself as a Federated Authentication Service Provider (SP), and the transfer, release, and use of attribute information is central to the operation of Federated Authentication. However, attribute values may represent ‘personal data’ and are subject to protection, regulatory oversight, and mandatory compliance measures.
currIQūnet Solutions, LLC DBA Acadea is dedicated to ensuring the privacy and proper handling of the identity data of its clients and individuals associated with currIQūnet. The goal of this Attribute Release Policy (ARP) is to ensure that the necessary procedures and awareness exist for the use and release of identity data, while also enabling secure federation and authentication between currIQūnet Solutions, LLC DBA Acadea and its partners.
currIQūnet Solutions, LLC DBA Acadea follows established best practices governing the receipt of personally identifiable information from Identity providers. currIQūnet Solutions, LLC DBA Acadea has identified several categories of Identity providers, and the attributes that may be received from Identity providers falling into each category. The receipt of additional available attributes may be requested by contacting the Shibboleth Administrator.
3.0 Scope
This policy applies to all users, computing resources, and applications owned or managed by currIQūnet Solutions, LLC DBA Acadea. Individuals covered by the policy include (but are not limited to) currIQūnet Solutions, LLC DBA Acadea employees.
Computing resources include all currIQūnet’s owned, licensed, or managed hardware and software, and use of currIQūnet Solutions, LLC DBA Acadea network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.
These policies apply to technology administered in individual departments, personally owned computers and devices connected by wire or wireless to the currIQūnet Solutions, LLC DBA Acadea network, and to off-site computers that connect remotely to currIQūnet Solutions, LLC DBA Acadea’s network services.
4.0 Policy
currIQūnet Solutions, LLC DBA Acadea has the authority to share certain pieces of common identity data with verified systems at currIQūnet Solutions, LLC DBA Acadea.
Attribute values obtained through Federated Authentication are for the purposes of authorization and facilitation of the end user’s session. They are not to be shared in any way and because these attributes are subject to change, they should not be stored locally.
5.0 Definitions
Attribute – An attribute is a piece of information describing some aspect of a person’s identity. Examples of attributes include, but are not limited to email address, University affiliation, name, etc. Attributes may be asserted by an IdP to an SP and different attributes may be received from different IDPs.
Federation – A group of organizations that share a level of trust and work with each other to inter-operate, frequently defining a common set of shared attributes. currIQūnet is a member of the US higher education federation, InCommon, and has created its own campus federation. There are many education, government, and potentially business federations throughout the world.
Identity Provider (IdP) – Every constituent of a federation must provide this service for the purpose of verifying the identity of users who belong to an institution on behalf of other federation members requesting identity verification. This is the “home institution” login component of Federated Authentication. The IDP also provides the important role of providing information (attributes) about users when prompted by service requests.
InCommon – InCommon is the U.S. higher education federation. currIQūnet Solutions, LLC DBA Acadea, as well as many peer schools and service providers that cater to the higher education sector, are members of InCommon and share a common infrastructure and language for defining interoperability and attributes.
Service Provider (SP) – A service provided by a federation constituent that a user might want to access, with access mediated by Shibboleth. May services are provided by commercial partners. However, increasingly collaboration sites supporting joint work and hosted by other campuses also manage access using Federated Authentication.
Shibboleth – Shibboleth provides for privacy protection through Attribute Release Policies (ARPs). Release of user attributes from an Identity Provider (IdP) to a Service provider (SP) is determined by the IdP’s ARPs. ARPs contain a set of rules specifying which attributes to release. Shibboleth is an open source implementation of the OASIS SAML standard and the project has implementations of both the Service Provider and Identity Provider Software.
Shibboleth Administrator – The person or group responsible for managing the technical aspects of Shibboleth Infrastructure, in particular for configuring and implementing attribute release policies on the Identity Provider (IdP).
6.0 Principals
Attribute Release Policy
Federated Authentication is designed to provide data about users (attributes) to authorized requesters.
All Attribute Release is governed by Attribute Release Policy.
An Attribute Release Policy is associated with an application (typically a URL).
Attribute Release Control
Each Application has exactly one responsible party.
A responsible party may have many applications.
An Attribute Release Policy (ARP) may be assigned to many applications.
An application may have more than one ARP.
An ARP may release multiple attributes.
An attribute may be released via many different policies.
Attribute Release Policy Control
A request for an ARP for an application is made through the Shibboleth Administrator.
XML is generated by Shibboleth IDP.
XML is installed by Shibboleth SP.
ARP Goals
Simple policies
Small set with large coverage
Reduce the need for other access to enterprise systems
Reduce the need for local storage of attributes