Participation in the InCommon Federation ("Federation") enables a federation participating organization ("Participant") to use Shibboleth identity attribute sharing technologies to manage access to on-line resources that can be made available to the InCommon community. One goal of the Federation is to develop, over time, community standards for such cooperating organizations to ensure that shared attribute assertions are sufficiently robust and trustworthy to manage access to important protected resources. As the community of trust evolves, the Federation expects that participants eventually should be able to trust each other's identity management systems and resource access management systems as they trust their own.
A fundamental expectation of Participants is that they provide authoritative and accurate attribute assertions to other Participants, and that Participants receiving an attribute assertion protect it and respect privacy constraints placed on it by the Federation or the source of that information. In furtherance of this goal, InCommon requires that each Participant make available to other Participants certain basic information about any identity management system, including the identity attributes that are supported, or resource access management system registered for use within the Federation.
InCommon expects that Service Providers, who receive attribute assertions from another Participant, respect the other Participant's policies, rules, and standards regarding the protection and use of that data. Furthermore, such information should be used only for the purposes for which it was provided. InCommon strongly discourages the sharing of that data with third parties, or aggregation of it for marketing purposes without the explicit permission[1] of the identity information providing Participant.
InCommon requires Participants to make available to all other Participants answers to the questions below.[2]
The InCommon Participant Operational Practices information below is for:
Additional information about the Participant's privacy policy regarding personal information can be found on-line at the following location.
The following person or office can answer questions about the Participant's identity management system or resource access management policy or practice.
This organization does not act as a public Identity Provider
Service Providers are trusted to ask for only the information necessary to make an appropriate access control decision, and to not misuse information provided to them by Identity Providers. Service Providers must describe the basis on which access to resources is managed and their practices with respect to attribute information they receive from other Participants.
What attribute information about an individual do you require in order to manage access to resources you make available to other Participants?
eduPersonPrincipalName
What use do you make of attribute information that you receive in addition to basic access control decisions?
The provided eduPersonPrincipalName is used to resolve an existing Digital Measures user account; all other attribute information is ignored and not logged.
What human and technical controls are in place on access to and use of attribute information that might refer to only one specific person (i.e., personally identifiable information)?
All interaction between an external IdP and the Digital Measures Service Provider is encrypted in transport via SSL/HTTPS. All attribute information other than the eduPersonPrincipalName is ignored, and exists only in memory for the length of the request. We do not allow use of attribute information for marketing purposes, nor by any of our partner organizations.
What human and technical controls are in place on access to and use of attribute information that might refer to only one specific person (i.e., personally identifiable information)?
Only qualified Digital Measures Systems Administrators have access to the Service Provider systems; no other user accounts exist. All system access is via encrypted VPN, and all system logins are via SSH, with only public/private key authentication enabled. All access and privilege escalation (e.g. sudo/su) are logged. The systems are hosted in a secure facility, requiring multiple levels of verification to gain physical access, and visitors/technicians are accompanied by data center personnel at all times.
If personally identifiable information is compromised, what actions do you take to notify potentially affected individuals?
Digital Measures has a data breach plan in place to handle any unauthorized access to online information. Any notice given will be done in compliance with all applicable state and federal laws.
Shibboleth 2.1
None
[1] Such permission already might be implied by existing contractual agreements.
[2] Your responses to these questions should be posted in a readily accessible place on your web site, and the URL submitted to InCommon. If any of the information changes, you must update your on-line statement as soon as possible.