Shibboleth as Attribute Delivery for Authorization Renee Shuey Penn State University June 27, 2006

Outline PSU and ITS What Identity Management looks like at Penn State External attribute distribution Considerations when releasing attributes Wrap-up

A little bit about Penn State and ITS…

Penn State

Penn State Established 1855, PA’s Land Grant 24 campus locations 80K students, 10K faculty, 10K staff $640M annual research expenditure

Components of IdM at Penn State Kerberos, DCE, Active Directory LDAP (eduPerson) Cosign (WebAccess is local branding) Shibboleth Member of InCommon “Access Account” - branding for Penn State identity (authn only available too), ~120K “Short Term Access Accounts” (authn only available too), 178/9104 as of 11AM today “Friends of Penn State” - branding for external identity, ~450K

Example of Access Account Uses WebMail eLion Filespace Employee Benefits Personal webspace LIAS (Library Resources) ANGEL (Course Management) Penn State Portal Time cards e-Portfolio General Stores – shopping online Parking permit applications Res Hall applications, network connections Travel services Office of Physical Plant –Customer Info Center Id+ Online WebForum Student Computer Labs Wireless authn VPN etc.

Examples of Short Term Access Account uses Temporary access to a computer lab Temporary access to wireless Helps solve the summer camp problem Continuing Education (big deal at non-UP campuses)

Examples of “Friends of Penn State” Uses ANGEL (Course Mgt) Undergraduate Admissions World Campus Registrar Office of Human Resources Outreach Bursar Counselor Training Program

Examples of Shib uses WebAssign Napster ANGEL Office of Student Aid (coming soon) Symplicity (coming soon) Worldwide University Network turnitin.com (coming soon) Lionshare Thomson Publishing (coming soon)

What attributes do we share with which service providers?

Example 1 - WebAssign Attributes Released eduPersonPrincipalName (EPPN) Physics course Common name Surname Given name

Example 2 - Turnitin Attributes Released: eduPersonPrincipalName eduPersonPrimaryAffiliation Given Name Surname

Example 3 – PHEAA (Pennsylvania Higher Education Assistance Agency) Attributes Released: eduPersonScopedAffiliation eduPersonAffiliation Given Name Surname Date of Birth Social Security Number      

So….how did we decide what attributes can be released to an external service provider?

Using Example 1 - WebAssign Course information students pay directly for access to physics content Existing policies related to FERPA and student records (AD-11) “The following is a list of directory items that may be made available to the public regarding students of the University without their prior consent and is considered part of the public record of their attendance: “ Confidentiality hold

Using Example 3 - PHEAA Current policies define what attributes, or combination of attributes, constitute a FERPA protected record AD-11 - University policy on confidentiality of student records Social Security Number AD-19 - Use of Penn State Identification and Social Security Number Requires special permission from Chief Privacy Officer

Summary of Process for Distributing Attributes Identify which attributes are “required” by service provider to complete transaction Work with appropriate people to verify attributes can be shared University affiliate, IdM administrators, Chief Privacy Officer, Data Stewards Shibboleth Identity provider admin creates attribute release policy

Points to Ponder Confidentiality hold Leverage well established business rules Personal management of attribute release (SHARPE) Third party policy Audits of TP security practices Addendums to contracts

The On-Going Challenge Good tools exist but that’s not enough The only thing standing between these principles & practices and making a big difference with them is: developing the institutional will to constantly improve IdM creating a groundswell of epiphanies across the university

Questions?