Shibboleth as Attribute Delivery for AuthorizationRenee ShueyPenn State UniversityJune 27, 2006

OutlinePSU and ITSWhat Identity Management looks like at Penn StateExternal attribute distributionConsiderations when releasing attributesWrap-up

A little bit about Penn State and ITS

Penn State

Penn StateEstablished 1855, PAs Land Grant24 campus locations80K students, 10K faculty, 10K staff$640M annual research expenditure

Information Technology ServicesatPenn State

Components of IdMat Penn StateKerberos, DCE, Active DirectoryLDAP (eduPerson)Cosign (WebAccess is local branding)ShibbolethMember of InCommonAccess Account - branding for Penn State identity (authn only available too), ~120KShort Term Access Accounts (authn only available too)Friends of Penn State - branding for external identity, ~450K

Example of Access Account UsesWebMail eLion Filespace Employee Benefits Personal webspace LIAS (Library Resources)ANGEL (Course Management)Penn State Portal Time cardse-Portfolio General Stores shopping online Parking permit applications Res Hall applications, network connections Travel services Office of Physical Plant Customer Info Center Id+ OnlineWebForumStudent Computer LabsWireless authnVPNetc.

Examples of Short Term Access Account usesTemporary access to a computer labTemporary access to wirelessHelps solve the summer camp problemContinuing Education (big deal at non-UP campuses)

Examples ofFriends of Penn State UsesANGEL (Course Mgt)Undergraduate AdmissionsWorld CampusRegistrarOffice of Human ResourcesOutreachBursarCounselor Training Program

Examples of Shib usesWebAssignNapsterANGELOffice of Student Aid (coming soon)Symplicity (coming soon)Worldwide University Network turnitin.com (coming soon)LionshareThomson Publishing (coming soon)

What attributes do we share with which service providers?

Example 1 - WebAssignAttributes ReleasededuPersonPrincipalName (EPPN) Physics course Common nameSurname Given name

Example 2 - TurnitinAttributes Released:eduPersonPrincipalNameeduPersonPrimaryAffiliation Given NameSurname

Example 3 PHEAA(Pennsylvania Higher Education Assistance Agency)Attributes Released:eduPersonScopedAffiliation eduPersonAffiliation Given NameSurnameDate of BirthSocial Security Number

So.how did we decide what attributes can be released to an external service provider?

Using Example 1 - WebAssignCourse informationstudents pay directly for access to physics contentExisting policies related to FERPA and student records (AD-11)The following is a list of directory items that may be made available to the public regarding students of the University without their prior consent and is considered part of the public record of their attendance: Confidentiality hold

Using Example 3 - PHEAACurrent policies define what attributes, or combination of attributes, constitute a FERPA protected recordAD-11 - University policy on confidentiality of student recordsSocial Security NumberAD-19 - Use of Penn State Identification and Social Security NumberRequires special permission from Chief Privacy Officer

Summary of Process for Distributing AttributesIdentify which attributes are required by service provider to complete transactionWork with appropriate people to verify attributes can be sharedUniversity affiliate, IdM administrators, Chief Privacy Officer, Data Stewards Shibboleth Identity provider admin creates attribute release policy

Points to PonderConfidentiality holdLeverage well established business rulesPersonal management of attribute release (Autograph)Third party policyAudits of TP security practicesAddendums to contracts (mutual non-disclosure)

The On-Going ChallengeGood tools exist but thats not enoughThe only thing standing between these principles & practices and making a big difference with them is:developing the institutional will to constantly improve IdMcreating a groundswell of epiphanies across the university

Questions?