UF SP Policies

By using the UF shibboleth Identity Providers (IdPs) for single-sign on services, you agree to the following policies:

  • Per UF policy, all SPs must be configured to use SSO using an approved method. Any exceptions (SPs using local accounts or some other authentication method) require approval by IAM management and the security office.
  • Every SP must have accurate contact information for a minimum of two unique contacts. Contact information must be verified on an annual basis.
  • SPs are required to use current best practices for protecting the data that they receive. This means using signing certificates (encryption certificates are desirable, but not currently required) when interacting with the IdP. Any exception (i.e when an SP does not use at least a signing certificate) must be approved by IAM management. Only directory information will be provided to these SPs. Exceptions will be temporary, and the duration will be determined by IAM management.
  • SPs are expected to abide by principle of minimum access. The minimum required attributes should be used in order to perform the necessary function of the SP. SPs that have been assigned additional attributes should take the necessary steps so that the unnecessary attributes can be removed.
  • The UF IdPs provide data that meets various SSO related standards. Specialized data that is unique to an SP is not supported. Any exceptions to this must be approved by IAM management.
  • SPs must maintain the needed certificates and metadata, including any updates needed due to expiring certificates. Expired certificates should not be used.
  • All SPs must undergo a risk assessment in order to establish that the application that they are running is safe and the data is protected. An exception is granted for SPs which make use of an official “Fast Path” solution (an application which has had a risk assessment and is deemed safe for all SPs). These do not require a risk assessment.
  • All SPs must be active. Inactive SPs represent security risks for no benefit. Once an SP has been inactive for 6 months, it will be deactivated. It can be reactivated upon request as needed.
  • SPs must be registered in the SP registry in order to use the UF IdP. For convenience, SPs are registered in groups. Each group represents SPs that run the same application (such as a situation where there are dev, test, qat, prod, etc. tiers) and are identical with respect to the information they need from the IdP.