„IdP Operational Requirements” változatai közötti eltérés

Innen: KIFÜ Wiki
(autosave)
 
37. sor: 37. sor:
 
## For faculty members and employees, affiliation values 'staff', 'employee', 'faculty' and 'member' '''MUST''' be revoked.
 
## For faculty members and employees, affiliation values 'staff', 'employee', 'faculty' and 'member' '''MUST''' be revoked.
  
== Szolgáltatás-menedzsment ==
+
== Service management ==
# The organization         Az intézmény köteles a föderációs operátorral való kapcsolattartásra megfelelő szerepkört kialakítani.
+
# The organization '''MUST''' develop a role responsible for liaison with the Federation Operator.
        IdP-t üzemeltető intézmény köteles az IdP-vel kapcsolatban végfelhasználói támogatást nyújtani, és ezen támogatás elérhetőségéről a felhasználóit tájékoztatni.
+
# The organization operating the Identity Provider '''MUST''' provide end-user support for its affiliated users and have them informed about the availability of the support.
        Az intézmény köteles az általa üzemeltetett IdP napi felbontású anonimizált forgalmi statisztikáit a föderációs operátor rendelkezésére bocsátani. Ezen statisztikai adatok a következőek:
+
# The organization '''MUST''' provide the following data to the Federation Operator as anonymous daily statistics about the Identity Provider usage:
            egyedi felhasználók száma,
+
#* number of unique users;
            egyes föderációs szolgáltatások felé indított tranzakciók száma,
+
#* number of transactions initiated to each federation service;
            összes bejelentkezési tranzakció száma.
+
#* total number of logins.
    Üzemeltetési kérdések
 
        A személyes adatokkal kapcsolatos tranzakciókról kötelező naplóállományt készíteni, és azt legalább 30 napig megőrizni.
 
            Az intézmény ezeket a naplókat köteles a hatályos adatvédelmi szabályokkal összhangban kezelni.
 
        Az AAI infrastruktúra komponensei esetén kötelező legalább 2048 bites kulcsok használata.
 
            Biztosítani kell a privát kulcsok védelmét.
 
            Amennyiben egy kulcs kompromittálódik, az intézmény köteles a föderációs operátort 24 órán belül értesíteni.
 
  
            Ajánlott hosszú lejáratú, self-signed tanúsítványok használata
+
== Operational issues ==
 
+
# Any transaction including personal data '''MUST''' be logged and log files '''SHALL''' be kept for at least 30 days.
        Vonatkozó SAML szabványok
+
## The log files above '''MUST''' be treated in accordance with the applicable data protection laws.
 
+
# Cryptographic keys of the Identity Provider '''MUST''' be at least 2048 bit long.
            Kötelező az Interoperable SAML 2.0 Web Browser SSO Deployment Profile (http://saml2int.org) dokumentumban kötelezőnek megjelölt elemek támogatása
+
## Private keys '''MUST''' be protected.
 
+
## In case of a key compromise, the Federation Operator '''MUST''' be notified within 24 hours.
            A Web Borwser SSO profil támogatása HTTP Artifact binding felett ajánlott.
+
## Use of self-signed certificates with a long expiration time is '''RECOMMENDED'''.
            Ajánlott a SAML2 Single Logout profil támogatása HTTP Redirect illetve SOAP binding felett.
+
# Use of SAML:
        Az IdP köteles minden végpontját HTTPS (SSL/TLS) protokollok segítségével védeni.
+
## The Identity Provider '''MUST''' comply with the ''Interoperable SAML 2.0 Web Browser SSO Deployment Profile'' (http://saml2int.org)
        Az IdP minden SAML végpontjának az IdP-t üzemeltető intézmény tulajdonában álló DNS domain alatt kell lennie.
+
## It is '''RECOMMENDED''' to support ''SAML2 Web Browser SSO Profile'' over HTTP Artifact Binding.
        Az IdP által használt scope-oknak az IdP-t üzemeltető intézmény tulajdonában álló DNS domain alatt kell lennie.
+
## It is '''RECOMMENDED''' to support ''SAML2 Single Logout Profile'' over HTTP Redirect and SOAP Bindings.
 +
# All SAML endpoints of the Identity Provider '''SHALL''' be protected by HTTPS.
 +
# All SAML endpoints of the Identity Provider '''MUST''' be under a DNS domain which is possessed by the operating organisation.
 +
# All scopes used by the Identity Provider '''MUST''' be under a DNS domain which is possessed by the operating organisation.

A lap 2011. szeptember 27., 16:33-kori változata

Purpose of this document

This document defines identity management and system operation requirements and recommendations for Identity Providers joining the HREF Federation.

Throughout this document the interpretation of terms MUST, MUST NOT', RECOMMENDED, DISCOURAGED are defined as:

  • MUST (or SHALL, REQUIRED): the definition is an absolute requirement of the specification in order to build and keep trust in the federation.
  • MUST NOT: the definition is an absolute prohibition of the specification
  • SHOULD (or RECOMMENDED): there may be valid reasons for ignoring the definition, however, the divergence MUST be documented
  • SHOULD NOT (or NOT RECOMMENDED): there may be valid reasons for the particular behaviour to be acceptable, however, the divergence MUST be documented

Identitás-menedzsment

  1. The organization operating the Identity Provider MUST document its privacy policy and make it available to its users.
  2. The organization MUST define the sources, the maintenance procedures and approximate quality of the data about its users, and supply this documentation to the Federation.
  3. Uniqueness of the usernames MUST be guaranteed.
  4. One individual SHOULD NOT have more than one user accounts.
  5. Role accounts SHOULD NOT be used.
  6. Use of attributes:
    1. Attribute implementations MUST follow the Attribute Specification
    2. The Identity Provider MUST implement the following attributes:
      • eduPersonTargetedID
      • eduPersonScopedAffiliation
      • schacHomeOrganizationType
      • eduPersonPrincipalName
    3. The Identity Provider SHOULD implement the following attributes:
      • displayName
      • mail
      • eduPersonEntitlement
    4. The IdP MUST ensure that eduPersonTargetedID and eduPersonPrincipalName are not re-assignable.
  7. Limitation of test accounts:
    1. all test accounts MUST be identified and documented along with the individual who is responsible for the test account
    2. real transactions MUST NOT be initiated by test accounts
    3. test accounts SHOULD be distinguished with appropriate homeOrganizationType value.
  8. User credentials (i.e. passwords) MUST NOT be transmitted on public network in unencrypted form.
  9. Initial user passwords SHOULD be distributed through non-electronic form
  10. Changes in the users' affiliation to the institution MUST be populated to the IdP database within 7 days
    1. If the authoritative source of user information is an external database (i.e. studenti information system), then the above limit starts from the time of the change in the primary system.
    2. Students may use 'alum' affiliation after leaving the organization. Values 'student' or 'member' MUST NOT be used afterwards.
    3. For faculty members and employees, affiliation values 'staff', 'employee', 'faculty' and 'member' MUST be revoked.

Service management

  1. The organization MUST develop a role responsible for liaison with the Federation Operator.
  2. The organization operating the Identity Provider MUST provide end-user support for its affiliated users and have them informed about the availability of the support.
  3. The organization MUST provide the following data to the Federation Operator as anonymous daily statistics about the Identity Provider usage:
    • number of unique users;
    • number of transactions initiated to each federation service;
    • total number of logins.

Operational issues

  1. Any transaction including personal data MUST be logged and log files SHALL be kept for at least 30 days.
    1. The log files above MUST be treated in accordance with the applicable data protection laws.
  2. Cryptographic keys of the Identity Provider MUST be at least 2048 bit long.
    1. Private keys MUST be protected.
    2. In case of a key compromise, the Federation Operator MUST be notified within 24 hours.
    3. Use of self-signed certificates with a long expiration time is RECOMMENDED.
  3. Use of SAML:
    1. The Identity Provider MUST comply with the Interoperable SAML 2.0 Web Browser SSO Deployment Profile (http://saml2int.org)
    2. It is RECOMMENDED to support SAML2 Web Browser SSO Profile over HTTP Artifact Binding.
    3. It is RECOMMENDED to support SAML2 Single Logout Profile over HTTP Redirect and SOAP Bindings.
  4. All SAML endpoints of the Identity Provider SHALL be protected by HTTPS.
  5. All SAML endpoints of the Identity Provider MUST be under a DNS domain which is possessed by the operating organisation.
  6. All scopes used by the Identity Provider MUST be under a DNS domain which is possessed by the operating organisation.
A lap eredeti címe: „https://wiki.niif.hu/index.php?title=IdP_Operational_Requirements&oldid=2154