通用联邦参与者操作实践

参与 InCommon Federation (“联邦”)允许联邦参与组织(“参与者”)使用Shibboleth身份属性共享技术来管理对可提供给InCommon社区的在线资源的访问. 联合会的一个目标是发展, over time, 用于此类合作组织的社区标准，以确保共享属性断言足够健壮和可信，从而管理对重要受保护资源的访问. 随着信任社区的发展, 联合会希望参与者最终能够信任彼此的身份管理系统和资源访问管理系统，就像他们信任自己的一样.

参与者的一个基本期望是它们向其他参与者提供权威和准确的属性断言, 并且接收属性断言的参与者保护它并尊重联邦或该信息源对其施加的隐私约束. 为了促进这一目标, InCommon要求每个参与者向其他参与者提供有关任何身份管理系统的某些基本信息, 包括受支持的标识属性, or resource access management system registered for use within the Federation.

身份提供者的可信属性断言的两个标准是:(1)身份管理系统属于组织的执行或业务管理的范围, (2)颁发终端用户证书的系统.g.、PKI证书、用户名/密码、Kerberos主体等.) specifically have in place appropriate risk management measures (e.g., 认证和授权标准, security practices, risk assessment, 变更管理控制, audit trails, etc.).

InCommon期望服务提供商, 谁从另一个参与者接收属性断言, 尊重其他参与者的政策, rules, 以及保护和使用这些数据的标准. Furthermore, such information should be used only for the purposes for which it was provided. InCommon strongly discourages the sharing of that data with third parties, or aggregation of it for marketing purposes without the explicit permission of the identity information providing Participant.

InCommon requires Participants to make available to all other Participants answers to the questions below. Additional information to help answer each question is available in the next section of this document. There is also a glossary at the end of this document that defines terms shown in italics.

1. 联盟成员信息

1.1 The InCommon Participant Operational Practices information below is for:
InCommon参与者组织名称:  Bryn Mawr College

以下是截至8月份的准确信息, 2017

1.身份管理和/或隐私信息
有关参加者身份管理实务及/或个人资料私隐政策的其他资料，可于以下网址查阅:.

• 可接受使用政策
• 服务器帐户策略
• Web Privacy Policy

1.3推荐全球十大博彩公司排行榜
以下人员或办公室可以回答有关参与者身份管理系统或资源访问管理政策或实践的问题.
David Bertagni
Chief Technologist
dbertagni@fatkee.net
p. 610-526-7438  f. 610-526-7432

2. 身份提供者信息

身份提供者参与者对联盟最重要的责任是提供可信和准确的身份断言. 对于服务提供者来说，重要的是要知道您的电子身份凭证是如何颁发的，以及与给定凭证(或人员)关联的信息有多可靠.

Community

2.如果您是身份提供者, how do you define the set of people who are eligible to receive an electronic identity? If exceptions to this definition are allowed, who must approve such an exception?

See 服务器帐户策略.

2.“社区成员”是一种声明，可以提供给参与大学或组织主要使命的个人，使他们能够获得资源. For example, this assertion might apply to anyone whose affiliation is “current student, faculty, or staff.”

在您的身份管理系统中注册的人员中，您将在Shibboleth对其他InCommon参与者的身份断言中识别为“社区成员”的哪一部分人?

Bryn Mawr considers current members of our community to be faculty, staff, students,   以及那些被认定为退休人员的现有附属机构, retirees, 研究人员.

2.请概括描述用于建立电子身份的管理流程，从而在您的电子身份数据库中创建该人的记录. 请指明为此目的而登记的办事处. For example, “Registrar’s Office for students; HR for faculty and staff.”

A number of offices are responsible for placing records which authorize access in a central system.  办事处如下:

• 申请人的入学条件
• 学生登记员
• 院长为返校和休假的学生
• 教务长和一些附属机构
• 员工、教员和一些附属机构的人力资源
• Alumnae/i for alums
• 校友和捐赠者的发展

2.4 What technologies are used for your electronic identity credentials (e.g., Kerberos,
用户id /密码、PKI、 ...)与联邦活动有关的资料? 如果发出多于一种电子证书, 如何确定谁接收哪一种类型? 如果链接了多个凭据，如何进行管理.g., anyone with a Kerberos credential also can acquire a PKI credential) and recorded?

学院使用单一的主用户名和密码，由我们的身份管理系统管理，并根据标准的微软活动目录进行身份验证.

2.5 If your electronic identity credentials require the use of a secret password or PIN, and there are circumstances in which that secret would be transmitted across a network without being protected by encryption (i.e., 使用“明文密码”登入校园服务), please identify who in your organization can discuss with any other Participant concerns that this might raise for them:

凭据不允许以明文形式传送. 如有疑问，请联系:

David Bertagni
Chief Technologist
dbertagni@fatkee.net

2.如果您支持“单点登录”(SSO)或类似的校园范围内的系统，以允许单个用户的身份验证操作服务于多个应用程序, and you will make use of this to authenticate people for InCommon Service Providers, please describe the key security aspects of your SSO system including whether session timeouts are enforced by the system, 是否支持用户主动终止会话, 以及如何保护“公共访问站点”的使用.

我们目前不使用校内服务的SSO.

2.是你对人们的主要电子标识, such as “net ID,“eduPersonPrincipalName, or eduPersonTargetedID considered to be unique for all time to the individual to whom they are assigned? If not, what is your policy for re-assignment and is there a hiatus between such reuse?

Usernames are considered to be the primary electronic identifier and are guaranteed to be unique.  Usernames which are issued to Members of Community are not reused and stay with the individual to whom they are assigned.

电子身份数据库

2.8 How is information in your electronic identity database acquired and updated? Are specific offices designated by your administration to perform this function? Are individuals allowed to update their own information on-line?

Most information is maintained by the responsible offices, see section 2.3.  Individuals may update very limited information (such as mobile phone number) online.

2.9 What information in this database is considered “public information” and would be provided to any interested party?

电子身份系统内的资料不被视为公开资料.  We comply with FERPA 以及其他隐私标准. We will release required attributes to partners as required to provide or obtain services.

使用你的电子身份及证书系统

2.请说明在贵公司内部使用电子身份凭证的典型应用类别.

• Email/Calendar
• 注册/ ERP系统
• Financials
• Blogs
• Web pages
• 计算机登录/印刷
• Network file storage
• LMS (Moodle)
• 网络接入(有线和无线/eduroam)

属性断言

属性是属性断言中的信息数据元素，您可以针对身份管理系统中某个人的身份向另一个Federation参与者进行断言.

2.11 Would you consider your attribute assertions to be reliable enough to:
[X] control access to on-line information databases licensed to your organization?
[X] be used to purchase goods or services for your organization?
[X] enable access to personal information such as student loan status?

Privacy Policy

联邦参与者必须尊重法律和组织对其他参与者提供的属性信息的隐私限制，并仅将其用于预期目的.

2.12 What restrictions do you place on the use of attribute information that you might provide to other 联盟的参与者?

The information must only be used for the purposes for which it has been provided.  除非布林茅尔学院与服务提供商/合作伙伴达成一致，否则不得汇总或提供给任何第三方.

2.13 What policies govern the use of attribute information that you might release to other
联盟的参与者? For example, is some information subject to FERPA or HIPAA restrictions?

S部分数据受FERPA, HIPAA和其他法规的约束.  政策如下:

• http://pb1a.fatkee.net/registrar/ferpa
• http://pb1a.fatkee.net/humanresources/documents/HIPAAPolicy.pdf

3. 服务提供商信息

Service Providers are trusted to ask for only the information necessary to make an appropriate access control decision, and to not misuse information provided to them by Identity Providers. 服务提供者必须描述管理资源访问的基础，以及他们从其他参与者那里接收到的属性信息方面的实践.

3.为了管理对您提供给其他参与者的资源的访问，您需要个人的哪些属性信息? Describe separately for each service ProviderID that you have registered.

None. At this time, Bryn Mawr College is not acting as a service provider.

3.2 What use do you make of attribute information that you receive in addition to basic access control decisions? For example, do you aggregate session access records or records of specific information accessed based on attribute information, or make attribute information available to partner organizations, etc.?

None. At this time, Bryn Mawr College is not acting as a service provider.

3.在访问和使用可能只涉及一个特定人员的属性信息时，有哪些人力和技术控制措施.e.，个人身份信息)? 例如，此信息是否加密?

Not applicable. At this time, Bryn Mawr College is not acting as a service provider.

3.描述对超级用户和其他可能有权访问个人身份信息的特权帐户进行管理的人力和技术控制?

Not applicable. At this time, Bryn Mawr College is not acting as a service provider.

3.5 .个人身份信息泄露, what actions do you take to notify potentially affected individuals?

Not applicable. At this time, Bryn Mawr College is not acting as a service provider.

4. Other Information

4.1技术标准、版本和互操作性
Identify the version of Internet2 Shibboleth code release that you are using or, 如果不使用标准Shibboleth代码, what version(s) of the SAML and SOAP and any other relevant standards you have implemented for this purpose.

Shibboleth身份提供者.2.1

4.2其他考虑
您是否希望向可能与您进行交互操作的其他联邦参与者告知其他考虑事项或信息? For example, 是否担心使用明文密码或在涉及您可能提供的身份信息的安全漏洞情况下的责任?

None at this time.