1 260
szerkesztés
Módosítások
finalise changes
:* '''SHOULD NOT''' (or '''NOT RECOMMENDED'''): there may be valid reasons for the particular behaviour to be acceptable, however, the divergence from the specification '''MUST''' be documented
== Identitás-menedzsment Identity management ==# The organization organisation operating the Identity Provider '''MUST''' document its privacy policy and make it available to its users.# The organization organisation '''MUST''' define the sources, the maintenance procedures and approximate quality of the data about its users, and supply this documentation to the Federation.
# Uniqueness of the usernames '''MUST''' be guaranteed.
# One individual '''SHOULD NOT''' have more than one user accounts.
# Role accounts (such as 'director', 'secretary') '''SHOULD NOT''' be used.
# Use of attributes:
## Attribute implementations '''MUST''' follow the Attribute Specification.
## The Identity Provider '''MUST''' implement the following attributes:
##* eduPersonTargetedID
## real transactions '''MUST NOT''' be initiated by test accounts
## test accounts '''SHOULD''' be distinguished with appropriate homeOrganizationType value.
# User credentials (i.e. passwords) '''MUST NOT''' be transmitted on over public network in unencrypted form.# Initial If initial user passwords are distributed, it '''SHOULD''' be distributed done through non-electronic form
# Changes in the users' affiliation to the institution '''MUST''' be populated to the IdP database within ''7 days''
## If the authoritative source of user information is an external database (i.e. studenti student information system), then the above limit timeframe starts from the time of the change in the primary system.## Students may use 'alum' affiliation after leaving the organizationorganisation. Values 'student' or 'member' '''MUST NOT''' be used afterwards.
## For faculty members and employees, affiliation values 'staff', 'employee', 'faculty' and 'member' '''MUST''' be revoked.
== Service management ==
# The organization organisation '''MUST''' develop a role responsible for liaison with the Federation Operator.# The organization organisation operating the Identity Provider '''MUST''' provide end-user support for its affiliated users and have them informed about the availability of the support.# The organization organisation '''MUST''' provide the following data to the Federation Operator as anonymous daily statistics about the Identity Provider usage:
#* number of unique users;
#* number of transactions initiated to each federation service;
== Operational issues ==
# Any transaction including personal data '''MUST''' be logged and log files '''SHALL''' be kept for at least ''30 days''.
## The log files above '''MUST''' be treated in accordance with the applicable data protection laws.
# Cryptographic keys of the Identity Provider '''MUST''' be at least ''2048 bit bits'' long.
## Private keys '''MUST''' be protected.
## In case of a key compromise, the Federation Operator '''MUST''' be notified within 24 hours.
