Date: Thu, 28 Mar 2024 12:19:37 +0200 (EET) Message-ID: <587339218.14900.1711621177284@wiki.eduuni.fi> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_14899_2098310659.1711621177284" ------=_Part_14899_2098310659.1711621177284 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Version | Author | Date |
This document describes the identity management procedures of a home org= anisation to the extent that is sufficient for assessing the quality and fr= eshness of the identity data in the home organization.
The home organization places this document in the public web and maintai= ns it as the identity management of the institution changes. The document w= ill be linked form Haka federation web pages.
In this document, =E2=80=9Duser database=E2=80=9D means the collection o= f attributes available for the Identity Provider server of the home organiz= ation. The implementation of the user database can be, for instance, an LDA= P directory or a relational database, or any combination of the two.
The data in the student registry is expected to be up-to-date.
How is the user database linked to the student registry?
How do the data of a new student propagate from the student registry to =
the user database?
When does a new student get his user account or his student role?
What does happen to the user account if the student don=E2=80=99t start hi=
s studies or if he starts the studies but registers as being absent?
How do the changes in the student registry propagate to the user databas= e?
When does the organisation decide, that a student isn=E2=80=99t any more= a student
a) after he has graduated?
b) after the semester has ended and the student has not enrolled as being =
present for the next semester?
C) when the student decides to discontinue his studies?
After the event above, how long will it take for the IT services unit to= close the student=E2=80=99s user account or to deactivate the =E2=80=9Dstu= dent=E2=80=9D role?
As above.
Does the organisation have other kind of end users (for example, researc=
hers employed by the Academy of Finland; alumni; civil servants; emeritus p=
rofessors; library patrons; subcontractors like restaurant staff) who
a) have user accounts, and
b) are allowed to use the Identity Provider to sign in to Service Provider=
s in the Haka federation?
What kind of application procedure there is for their user accounts?
How do you ensure the freshnes of their identity data?
Users, who are not natural persons (for example, student associations, i= f they have separate accounts) are not considered as end users of Haka fede= ration, and should not be allowed to log in.
How do you verify the identity of a person applying for a user account?<= /p>
Requirements for password quality.
Are there any stronger authentication means available?
More information on funetEduPerson schema (ver 2.0) is here.
Place =E2=80=99X=E2=80=99 in the =E2=80=99availability=E2=80=99 column if =
the attribute is up-to-date and thus available for the Identity Provider se=
rver.
If the home organization has any own (non-funetEduPerson) attributes, th= at are available for the Identity Provider server, you can add them to the = end of the table, supplemented by a link to the attribute definition.
Attribute | Availability | How do you ensure freshness | Other information |
cn / commonName | MUST | ||
description | |||
displayName | MUST | ||
employeeNumber | |||
facsimileTelephoneNumber | |||
givenName | |||
homePhone | |||
homePostalAddress | |||
jpegPhoto | |||
l / localityName | |||
labeledURI | |||
mobile | |||
o / organizationName | |||
ou / organizationalUnitName | |||
postalAddress | |||
postalCode | |||
preferredLanguage | |||
seeAlso | |||
sn / surname | MUST | ||
street | |||
telephoneNumber | |||
title | |||
uid | |||
userCertificate | |||
eduPersonAffiliation | What values are available? | ||
eduPersonEntitlement | |||
eduPersonNickName | |||
eduPersonOrgDN | |||
eduPersonOrgUnitDN | |||
eduPersonPrimaryAffiliation | |||
eduPersonPrimaryOrgUnitDN | |||
eduPersonPrincipalName | MUST | ||
eduPersonScopedAddiliation | |||
eduPersonTargetedID | |||
schacMotherTongue | |||
schacGender | |||
schacDateOfBirth | |||
schacPlaceOfBirth | |||
schacCountryOfCitizenship | |||
schacHomeOrganization | MUST. What value is used? |
||
schacHomeOrganizationType | MUST What value is used? |
||
schacCountryOfResidence | |||
schacUserPresenceID | |||
schacPersonalUniqueCode | |||
schacPersonalUniqueID | |||
schacUserStatus | |||
funetEduPersonHomeOrganization | superseded | ||
funetEduPersonStudentID | superseded | ||
funetEduPersonIdentityCode | superseded | ||
funetEduPersonDateOfBirth | superseded | ||
funetEduPersonTargetDegreeUniversity | superseded | ||
funetEduPersonTargetDegreePolytech | superseded | ||
funetEduPersonTargetDegree | |||
funetEduPersonEducationalProgramUniv | superseded | ||
funetEduPersonEducationalProgramPolytech | superseded | ||
funetEduPersonProgram | |||
funetEduPersonMajorUniv | superseded | ||
funetEduPersonOrientationAlternPolytech | superseded | ||
funetEduPersonSpecialisation | |||
funetEduPersonStudyStart | |||
funetEduPersonPrimaryStudyStart | |||
funetEduPersonStudyToEnd | |||
funetEduPersonPrimaryStudyToEnd | |||
funetEduPersonCreditUnits | |||
funetEduPersonECTS | |||
funetEduPersonStudentCategory | |||
funetEduPersonStudentStatus | |||
funetEduPersonStudentUnion | What value(s) are used? | ||
funetEduPersonHomeCity | |||
funetEduPersonEPPNTimeStamp | |||
One identity per user or one identity per role (ie a person who is both = a student and an employee has two identities)?
Can the eduPersonPrincipalName value of an end user change over time?
Do you reassign eduPersonPrincipalName values to new end users?