University at Buffalo (UB)
1. Please describe in general terms the administrative process used to establish an electronic identity that results in a record for that person being created in your electronic identity database? Please identify the office(s) of record for this purpose. For example, “Registrar’s Office for students; HR for faculty and staff.”
Registrar’s Office for students; HR for faculty, staff, or volunteers; alumni office for alumni; Library staff for Library walk-in patrons
2. What technologies are used for your electronic identity credentials (e.g., Kerberos, userID/password, PKI, ...) that are relevant to Federation activities? If more than one type of electronic credential is issued, how is it determined who receives which type? If multiple credentials are linked, how is this managed (e.g., anyone with a Kerberos credential also can acquire a PKI credential) and recorded?
Kerberos
3. If your electronic identity credentials require the use of a secret password or PIN, and there are circumstances in which that secret would be transmitted across a network without being protected by encryption (i.e., “clear text passwords” are used when accessing campus services), please identify who in your organization can discuss with any other Participant concerns that this might raise for them:
Larry Schnitzer, Director of Enterprise Infrastructure Services
4. If you support a “single sign-on” (SSO) or similar campus-wide system to allow a single user authentication action to serve multiple applications, and you will make use of this to authenticate people for InCommon Service Providers, please describe the key security aspects of your SSO system including whether session timeouts are enforced by the system, whether user-initiated session termination is supported, and how use with “public access sites” is protected.
Shibboleth is used for SSO with an 8-hour session timeout, and no session termination features besides closing the browser
5. Are your primary electronic identifiers for people, such as “net ID,” eduPersonPrincipalName, or eduPersonTargetedID considered to be unique for all time to the individual to whom they are assigned? If not, what is your policy for re-assignment and is there a hiatus between such reuse?
Electronic identifiers are unique for all time. We do not re-use identities.
1. How is information in your electronic identity database acquired and updated? Are specific offices designated by your administration to perform this function? Are individuals allowed to update their own information on-line?
Automatic updates based on HR and Student System data feeds
2. What information in this database is considered “public information” and would be provided to any interested party?
Directory information published in LDAP for active users according to FERPA suppression guidelines
Please identify typical classes of applications for which your electronic identity credentials are used within your own organization.
Email, file services, MyUB portal. UB Learns learning management system, Student Service HUB for class registration, tuition payment, etc., and Web conferencing
Attributes are the information data elements in an attribute assertion you might make to another Federation participant concerning the identity of a person in your identity management system.
Would you consider your attribute assertions to be reliable enough to:
[X] control access to on-line information databases licensed to your organization?
[X] be used to purchase goods or services for your organization?
[X] enable access to personal information such as student loan status?
Federation Participants must respect the legal and organizational privacy constraints on attribute information provided by other Participants and use it only for its intended purposes.
1. What restrictions do you place on the use of attribute information that you might provide to other Federation participants?
Only necessary attributes are released per application
2. What policies govern the use of attribute information that you might release to other Federation participants? For example, is some information subject to FERPA or HIPAA restrictions?
FERPA & HIPAA