Canadian Access Federation: Trust Assertion Document (TAD) : 1. Purpose
Canadian Access Federation: Trust Assertion Document (TAD) : 1. Purpose
Canadian Access Federation: Trust Assertion Document (TAD) : 1. Purpose
1.2 Publication
Your responses to these questions must be:
1. submitted to CANARIE to be posted on the CANARIE website; and
2. posted in a readily accessible place on your web site.
You must maintain an up-to-date Trust Assertion Document.
about your identity management practices and/or privacy policy regarding personal
information?
Identity Management: http://www.uvic.ca/systems/services/loginspasswords/index.php
Protection of Privacy Policy:
http://www.uvic.ca/universitysecretary/assets/docs/policies/GV0235.pdf
3.1 Community
3.1.1. As an Identity Provider, how do you define the set of people who are eligible to receive an
electronic identity? If exceptions to this definition are allowed, who must approve such an
exception?
Page 2 of 9
The identity management system restricts access to electronic identity to only those
individuals that meet specific criteria in our local systems of record (SOR). The main SOR
sources are:
Exceptions are made for UVic guests, who must be sponsored by an active UVic Faculty
or Staff members. Guests have time-bounded access to local resources.
3.1.2. What subset of persons registered in your identity management system would you identify
electronic identity that results in a record for that person being created in your electronic
identity database? Please identify the office(s) of record for this purpose.
Electronic identity records are created in our identity management system for people that
meet specific business criteria for UVic employees, students, and affiliates.
UVic employees are on-boarded through the hiring process managed through the UVic
Human Resources office (http://web.uvic.ca/hr/).
Page 3 of 9
UVic students are on-boarded through enrolment processes managed by the UVic Office
of the Registrar (http://registrar.uvic.ca/)
UVic Continuing Studies students enrol through an enrolment process managed by UVic
Continuing Studies ( http://www.uvcs.uvic.ca/)
3.2.2. What authentication technologies are used for your electronic identity credentials (e.g.,
Kerberos, userID/password, PKI, ...) that are relevant to Canadian Access Federation
activities? If more than one type of electronic credential is issued, how is it determined
who receives which type? If multiple credentials are linked, how is this managed (e.g.,
anyone with a Kerberos credential also can acquire a PKI token) and audited?
UVic supports a campus-wide username/password credential pair, called the UVic NetLink
ID. This credential is used for access to CAF resources.
3.2.3. If your electronic identity credentials require the use of a secret password or PIN, and
there are circumstances in which that secret would be transmitted across a network
without being protected by encryption (e.g., clear text passwords are used when
accessing campus services), please identify who in your organization can discuss with any
other Participant concerns that this might raise for them:
We do not support clear-text passwords for access to campus resources. CAF resources
will be authenticated through HTTP-secured (HTTPS) information channels.
3.2.4. If you support a single sign-on (SSO) or similar campus-wide system to allow a single
user authentication action to serve multiple applications, and you will make use of this to
authenticate people for CAF Service Providers, please describe the key security aspects
of your SSO system including whether session timeouts are enforced by the system,
whether user-initiated session termination is supported, and how use with public access
sites is protected.
We support JASIG CAS for campus SSO. CAS will support authentication for our Shibbolethbased CAF identity-provider.
The default CAS SSO timeout is 2-hours, and the user can select an 8-hour timeout. Users
may initiate an SSO sign-out by clicking the CAS SSO Sign out of UVic link.
3.2.5. Are your primary electronic identifiers for people, such as NetID,
Page 4 of 9
offices designated by your administration to perform this function? Are individuals allowed
to update their own information on-line?
Attributes in the identity database are updated according to administrative updates in the
systems of record for each attribute. We have designated offices that perform these
updates: Office of the Registrar, Human Resources & Benefits, Finance, Continuing
Studies.
Individuals may update some attributes via self-serve, such as their preferred email
address.
3.3.2. What information in this database is considered public information and would be provided
reliable.
3.5.2. Would you consider your attribute assertions to be reliable enough to:
Page 5 of 9
http://www.uvic.ca/universitysecretary/assets/docs/policies/GV0235.pdf
Page 6 of 9
4.1 Attributes
4.1.1. What attribute information about an individual do you require in order to manage access to
resources you make available to other Participants? Describe separately for each service
application that you offer to CAF participants.
UVic is not currently running any CAF Service Providers.
N/A
4.1.2. What use do you make of attribute information that you receive in addition to basic access
control decisions?
N/A
4.1.3. Do you use attributes to provide a persistent user experience across multiple sessions?
N/A
4.1.4. Do you aggregate session access records or record specific information accessed based
on attribute information.
N/A
4.1.5. Do you make attribute information available to other services you provide or to partner
organizations?
N/A
information that might refer to only one specific person (i.e., personally identifiable
information)? For example, is this information encrypted for storage in your system?
N/A
4.2.2. Describe the human and technical controls that are in place on the management of super-
user and other privileged accounts that might have the authority to grant access to
personally identifiable information?
CANARIE Inc. - Canadian Access Federation Service
Page 7 of 9
N/A
4.2.3. If personally identifiable information is compromised, what actions do you take to notify
Page 8 of 9
5. Other Information
5.1 Technical Standards, Versions and Interoperability
5.1.1. Identify the SAML products you are using. If you are using the open source Internet2
SAML 1.1
SAML 2.0
Canadian Access Federation Participants with whom you might interoperate? For
example, are there concerns about the use of clear text passwords or responsibilities in
case of a security breach involving identity information you may have provided?
N/A
Page 9 of 9