Request Exception to Identity Management Service Provider Standard

The Identity Management Service Provider Standard exists to establish requirements for services that make use of the university’s central identity repository known as GatorLink credentials. The objective of the standard is to protect the integrity and assurance of the UF digital credential.

There are Federal, InCommon Identity federation and risk management requirements for assurance that need to be considered when utilizing the UF credentials. Any service provider that is using the GatorLink credential must adhere to the standard and policies with the intent to provide and maintain assurance and integrity of the credential.

UFIT strongly prefers the use of SAML2 based security using the Shibboleth Identity Provider (IdP) and Service Provider (SP) software. There are two parts to the service provider security. Authentication is the ability for the user to successfully present the credential to the IdP server and confirm with a level of assurance that they are the individual who is bound to that credential. Authorization is the release of attributes to the Service provider at the time of  login to confirm facts known about the individual. Services should use both in deciding who is allowed into the application. Lastly, with the use of SAML2 based security, service providers can accept a credential from trusted federation sources and UF in turn can use credentials to log in to services provided by other entities in the federation.

Gartner and other sources are recommending attribute based security and security federations as a method of the future and it has a strong hold in higher education already. The internet2 and InCommon, eduCause and others recognize this SAML2 authentication and federation as a strongly desired direction.

UFIT understands that in some cases using SAML based authentication may not be feasible or architecturally desirable for a specific service provider use case. Service providers can request an exception to the standard for their web based applications. There are several years of experience at UF at this point in time and it is rare that a service is not able to use the SAML2 authentication and authorization techniques either directly or via a simple proxy server protocol. However, should you have a case you feel requires an exception to the university standard you may request an exception.

Exception procedure:

1) Feel free to consult with the IAM office if you have an application or need advice in determining how to utilize the SAML2 based features in Shibboleth. This process is routine for UFIT staff involved with these techniques, making them a good resource. There have been about 800 use cases deployed at the UF during the past few years on to the Shibboleth platform. There is also a great deal of help available on the local listserv and the shibboleth product listserv. Chances are someone has experience doing what you need to do. Please use the resources.

2) If after some investigation you feel you need an exception then you must document the use case. Identify in detail on the application, who, what, how, why there are difficulties or desires not to utilize the standard. Document the software and platforms being used. Who are the constituents that will use, support, and manage the environment? Will the service be located on campus or with some vendor or SAAS service? Please be precise and provide enough information to clearly document the case and allow for an informed decision process to follow the request.

3) Send the documentation and your request to the Identity Access management office at UFIT. You can open a service request for the Service Provider Authentication team or simply email to the IAM Admin list (BA-BridgesIAMADMIN@bridges.ufl.edu).

4) The IAM team will respond to your request to let you know it has been received , do an initial review for detail and content. We may have questions and need to discuss your submission at this point if we have any questions regarding the request content.

5) Next IAM will involve the CISO staff, IAM staff, technology experts for SAML2 and Shibboleth, and possibly staff from other appropriate areas of UF technology, risk and privacy as needed to assess the request. The group will be engaged to provide a resolution to the request in a timely manner. These cases can vary in complexity. Please allow time in your schedules for this process. This process may require interview and joint sessions with the requesting provider.

6) Once a decision is made the requesting area will be notified of the outcome of the request. Exception granted, Not Granted or Recommendation.

You completeness and detail of your request will determine in most cases how quickly and smoothly this process will move forward. Please document your use case for exception as well as you are able. We have only a few known cases in the past that have not been able to utilize the SAML2 methods.