As a federated community of organizations managing access to online resources, it is essential that all participants in the community have an open and transparent understanding of the identity and resource management practices implemented by the other participants. In particular, the Identity Provider (IdP) passes attribute information to the Service Provider (SP) about the individual account that has been authenticated by the IdP. In turn, the SP provides that information to the original accessed application.
This attribute information may have significant privacy and security aspects. It is important to note that Personally Identifiable Information (PII) may be comprised of not only IdP-provided attributes but also information that the originally accessed application may store. Office of Management and Budget (OMB) Memorandum 17-12 (PDF) identifies as many potential sources of risks related to PII as possible. OMB defined PII as
“information which can be used to distinguish or trace an individual’s identity… alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual…”
To that end, it is important that you complete Questions 4 and 5 in the Requestor Methods Questionnaire below, regardless of the attribute information provided by the IdP.
SP’s are trusted by IdP’s to:
- Ask only for information necessary to make appropriate access control decisions,
- Not misuse attribute information provided to them, and
- Suitably protect the attribute information provided to them.
Using this form, the SP operator must provide information about how attribute information is managed and protected:
- The basis on which the SP operator manages and protects access to server(s) and service resources,
- The SP operator’s practices with respect to any attribute information that they receive from the IdP, and
- The SP operator’s procedures, once a security breach is discovered, to notify affected persons.
If you need assistance in determining what the data requested in this form should be or how to present it, please email us at email@example.com and we’ll get back to you as soon as we can.
If you are working with a third-party service provider, we strongly encourage engaging their assistance in completing this form.
Please submit a separate request for each SP you are requesting to access the NC State Shibboleth Identity Provider service.
Required fields are denoted by an asterisk ( * ).