|
|
| (13 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| {{shib-project}}
| | See http://www.cam.ac.uk/cs/raven/attribute-policy.html |
| | |
| ''This document (2007-05-14: currently a draft) sets out the policy observed by the managers of the University of Cambridge's institutional Shibboleth IdP in respect of release of attribute information.''
| |
| | |
| Transfer of attribute information is central to the operation of Shibboleth. However attributes can represent 'personal data' under the terms of the Data Protection Act 1998 and processing and release of such data must abide by the provisions of the act - this policy is intended to ensure that the University does so.
| |
| | |
| The University institutional IdP will provide attribute information only to members of the ''UK Access Management Federation for Education and Research'' or to members of the local ''University of Cambridge Federation''. Membership rules for the latter have yet to be defined, but it is assumed here that it will contain only SPs owned and operated by the University and its related institutions (the colleges, CUP, CA, etc.).
| |
| | |
| Users will be made aware of the function of the IdP and the fact that it may disclose information about them the first time that they access it and at least annually thereafter. They will be asked to positively confirm that they accept the terms and conditions under which the IdP operates before proceeding and a record will be made of this acceptance. On first accessing a particular SP, users will be made aware of the information that will be disclosed to it and asked to approve this disclosure; this will be repeated if the information changes and at least annually.
| |
| | |
| eduPersonTargetedID and eduPersonScopedAffiliation with the value 'member@cam.ac.uk' will be released by default to any SP authorised to use the IdP. According to UK Federation policy, this should be sufficient to enable access to the majority of resources.
| |
| | |
| eduPersonScopedAffiliation with the value other than 'member@cam.ac.uk', edPersonEntitlement, and any other 'privacy preserving' attributes will be released to any SP authorised use the IdP that can demonstrate a reasonable need. SPs will only receive the particular attributes and values that they require. These attributes, or values thereof, will not be considered 'privacy preserving' if there is a possibility that individuals can be identified from them (perhaps because they relate to a very small subset of users).
| |
| | |
| Attributes from or derived from lookup, notably eduPersonPrincipleName, givenName, sn, cn, displayName, ou, mail, groupID will be disclosed to SPs using providerIDs which match ^https://[^/]+\.cam\.ac\.uk/, but only subject to the user's choice of suppression in lookup. The restriction on SPs is broadly consistent with the group of servers that can query lookup directly for the same information.
| |
| | |
| Other than as mentioned above, attributes and attribute values will only be disclosed where there is a demonstrable need and where the disclosure is protected by an appropriate contract or similar. Note that this includes eduPersonPrincipleName even though it is a UK Federation core attribute. Each disclosure or change in disclosure must be formally approved by ''[install name of suitable body here]''. Release of such information will be restricted - it is in general better from the University's point of view for SPs to obtain information direct from the user than it is for the IdP to supply it (even if it would be easier for the user if the IdP supplied it).
| |
| | |
| ==Summary of current policy==
| |
| | |
| * eduPersonTargetedID, and eduPersonScopedAffiliation with value member@cam.ac.uk released to any member of the UK federation or the University Federation.
| |
| * eduPersonEntitlement
| |
| ** values of cam#default0 or cam#aaemo are released where appropriate to the EduServ Shibboleth to Athens gateway
| |
| ** a value of urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted is released where appropriate to EDINA Film and Sound online
| |
