Shibboleth Access Request Form – Office of Information Technology

As a federated community of organizations managing access to online resources, it is essential that all participants in the community have an open and transparent understanding of the identity and resource management practices implemented by the other participants. In particular, the Identity Provider (IdP) passes attribute information to the Service Provider (SP) about the individual account that has been authenticated by the IdP. In turn, the SP provides that information to the original accessed application.

This attribute information may have significant privacy and security aspects. It is important to note that Personally Identifiable Information (PII) may be comprised of not only IdP-provided attributes but also information that the originally accessed application may store. Office of Management and Budget (OMB) Memorandum 17-12 (PDF) identifies as many potential sources of risks related to PII as possible. OMB defined PII as

“information which can be used to distinguish or trace an individual’s identity… alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual…”

To that end, it is important that you complete Questions 3 and 4 in the Requestor Methods Questionnaire below, regardless of the attribute information provided by the IdP.

SP’s are trusted by IdP’s to:

Ask only for information necessary to make appropriate access control decisions,
Not misuse attribute information provided to them, and
Suitably protect the attribute information provided to them.

Using this form, the SP operator must provide information about how attribute information is managed and protected:

The basis on which the SP operator manages and protects access to server(s) and service resources,
The SP operator’s practices with respect to any attribute information that they receive from the IdP, and
The SP operator’s procedures, once a security breach is discovered, to notify affected persons.

If you need assistance in determining what the data requested in this form should be or how to present it, please email us at oit_webauth@help.ncsu.edu and we’ll get back to you as soon as we can.

If you are working with a third-party service provider, we strongly encourage engaging their assistance in completing this form.

Please submit a separate request for each SP you are requesting to access the NC State Shibboleth Identity Provider service.

Required fields are denoted by an asterisk ( * ).

Requester Information
Name * Required
First Last
Title * Required
Office/College/Department * Required
Email * Required
Phone * Required
Please describe the service you are looking to federate. * Required
Provide a 2-3 sentence description of the type of service an scope of users you are looking to serve.
Please indicate below which federation(s) you are requesting access to. * Required
Descriptions of the federations currently available to NC State University applications are described in Federation at NC State.
- NC State University Federation
- InCommon
Please submit the URL of the Service Provider’s metadata for registering with the NC State University Federation.
e.g. https://portalsp.acs.ncsu.edu/Shibboleth.sso/Metadata
If your Service Provider is already federated with InCommon directly, please provide the URL of your Participant Operational Practices (POP) document. InCommon requires that your POP be available online.
If you can provide this URL, you do not need to answer the questionnaire below.
Please submit the SP entity ID registered with InCommon.
Please provide the login URL for the service provider so that we can test our configuration * Required
What Attributes are needed? * Required
“Ask Only for the Information Necessary” What attribute information about an individual do you require in order to manage access to the resources/ services that you are making available?
Please review NC State's Attribute Release Policy (ARP) for the names and descriptions of the default attributes available.
Please list the attributes requested.
If an attribute is not in the default offering, please describe it.
Please provide justifications for any attribute requested.
Please provide the name(s) of contact(s) who can provide more explanation about the use of each attribute below.
If the Attribute Information Contact information is the same as the Requestor Information, you may leave the box below blank.
Name
Title
Office/College/Department
Email
Phone
Is this request for ONLY the attribute EPPN (preferred) or UID? * Required
If "Yes," you will not be required to complete Questions #1 and #2.
- Yes
- No
Requestor Methods Questionnaire
1. “Do Not Misuse the Attribute Information Provided to Your Service” * Required
Please describe how you will use the attribute information provided.
Will you be using this information for purposes beyond basic access control decisions?
Please be as specific as possible. For example:
- Do you aggregate session access records based on an individual’s attribute information?
- Do you keep records of specific information accessed based on attribute information?
- Do you make attribute information available to any partner organizations that not part of the federation to which you are requesting access?
- Do you pass attribute information on to any other servers or services that are not directly under your control?
2. “Describe how the Attribute Information is Protected on Your Service” * Required
Please define what human and technical controls are in place regarding the access to and use of any attribute information that serves as Personally Identifiable Information (PII).
PII can be a number of things, not merely a name or a credit card number.
All information other than large group identity (e.g., staff@ncsu.edu) should be protected while resident on your system(s).
As a reference, North Carolina General Statutes § 75-66 Publication of personal information identifies the PII that it requires to be protected.

For example:
- Is any PII subsequently transmitted to other sub-service providers?
- If so, is the PII encrypted during said transmission?
- Is any PII stored on your system(s) after the end of the end users’s session?
- If so, is the PII encrypted at rest on your system?
- If so, is access to the PII controlled to appropriate individuals by access controls?
- Do you aggregate session access records based on an individual’s attribute information?
- Do you keep records of specific information accessed based on attribute information?
- Do you make attribute information available to any partner organizations that not part of the federation to which you are requesting access?
- Do you pass attribute information on to any other servers or services that are not directly under your control?
3. “Describe How System Administrator and Super-User Accounts are Managed” * Required
Certain functional positions (and accounts that these positions can access) have extraordinary privileges with respect to information on your system.
Please describe the human and technical controls that are in place regarding the management of super-user and other privileged system and service accounts.
What oversight means are in place to identify any misuse of these accounts/privileges?
4. “How will you handle the notification of individuals if the Attribute Information you hold is compromised?” * Required
Occasionally protections break down and attribute information is compromised.
The North Carolina Identity Act requires notification of affected individuals.
See North Carolina General Statutes § 75-65 Protection from security breaches.

In particular, it specifies:
“Protection from security breaches. (a) Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. (b) Any business that maintains or possesses records or data containing personal information of residents of North Carolina that the business does not own or license shall notify the owner or licensee [Identity Provider] of the information of any security breach immediately following discover of the breach.”

If personally identifiable information is compromised, what actions will you take to notify potentially affected individuals?
What actions will you take to notify the Information Provider initially furnishing the data that it has been disclosed?

Requester Information

Requestor Methods Questionnaire