Most federations require an IdP to have an Identity Management Practice Statement of some description, although there is no set template for this. The following information may be helpful:
Advice from federations / other organisations
Document your Campus IdM processes
Questions that every campus must be able to answer are:
- How do you identify a person who receives the credentials and secrets for an identity.
- At any time you must be able to describe what the current affiliation the person has to the institution.
- What community do you issue identities to.
- What attributes are publicly exposed for these identities.
- What are the procedures for maintaining the identities in this respect.
Questionnaires like this can be provided to the campuses to use for internal IdM audits.
Unclear relationships to the institutions
Sometimes people that have no clear relationship with the institutions, also need a campus identity. For students and staff this is pretty clear. But what do you do with consultants, guest researcher, members of research projects etc.? The decision for this should be made by the dean and/or department head (by means of a signed paper form, or clicking okay in a web form). It is also a good idea to issue identities that have limited validity in time, to keep your IdM clean in the long term.
Procedure for giving out identities.
How do you issue your identities (e.g. when a new student or teacher enters the institutions). Is it enough to send the relevant information to the new students'/teachers' official home address? Or do you require official identification (identy card, drivers' license, ...) in a face-to-face meeting?