1.      Federation Participant Information

1.1       The InCommon Participant Operational Practices information below is for:

InCommon Participant organization name   University of Pennsylvania          

The information below is accurate as of this date   1 June 2009                      

1.2       Identity Management and/or Privacy information

Additional information about the Participant’s identity management practices and/or privacy policy regarding personal information can be found on-line at the following location(s).


1.3       Contact information

The following person or office can answer questions about the Participant’s identity management system or resource access management policy or practice.

Name   Information and Systems Computing, Networking and Telecommunications

Title or role                                                                                                        

Email address                                                                                                    

Phone   215.898.2883                               FAX                                                


2.      Identity Provider Information

The most critical responsibility that an IdentityProvider Participant has to the Federation is to provide trustworthy and accurate identity assertions.[1]  It is important for a Service Provider to know how your electronic identity credentials are issued and how reliable the information associated with a given credential (or person) is.


2.1       If you are an Identity Provider, how do you define the set of people who are eligible to receive an electronic identity?  If exceptions to this definition are allowed, who must approve such an exception?

The University makes available electronic identity credentials to all affiliated users who require access to secure and protected resources. Affiliated users include faculty, staff  and students of the University of Pennsylvania; employees of the University of Pennsylvania Health System (UPHS); and, sponsored guests who have an official business need for accessing restricted Penn resources are eligible for a PennKey. A guest can be a visiting faculty or staff member, temporary workers, participants in University symposia or conferences.  The electronic identity persists even after the relationship with the University terminates.                               

2.2       “Member of Community”[2] is an assertion that might be offered to enable access to resources made available to individuals who participate in the primary mission of the university or organization.  For example, this assertion might apply to anyone whose affiliation is “current student, faculty, or staff.” 

What subset of persons registered in your identity management system would you identify as a “Member of Community” in Shibboleth identity assertions to other InCommon Participants?

The identity management system maintains affiliated members (active faculty, staff and students) of the University community. 

Electronic Identity Credentials

2.3       Please describe in general terms the administrative process used to establish an electronic identity that results in a record for that person being created in your electronic identity database?  Please identify the office(s) of record for this purpose.  For example, “Registrar’s Office for students; HR for faculty and staff.”

In brief, the administrative process for issuing electronic identity credentials dictates that the user (a) be approved/sponsored for the designated affiliation, (b) provide the necessary identity proofing documentation, (c) be entered into the appropriate system of record/registration authority, (d) receive a credential set-up code and (e) create the credential online.

The following systems of record feed the identity management system: Registrar - Student Records System (SRS) for students); University Human Resources system for Faculty and Staff; University of Pennsylvania Health Systems (UPHS) HR for UPHS employees; and, online registration/creation process though authorized administrators for temporary/guest identities.                                                                           

2.4       What technologies are used for your electronic identity credentials (e.g., Kerberos, userID/password, PKI, ...) that are relevant to Federation activities?  If more than one type of electronic credential is issued, how is it determined who receives which type?  If multiple credentials are linked, how is this managed (e.g., anyone with a Kerberos credential also can acquire a PKI credential) and recorded?

Kerberos using strong reusable passwords.                                                                              

2.5       If your electronic identity credentials require the use of a secret password or PIN, and there are circumstances in which that secret would be transmitted across a network without being protected by encryption (i.e., “clear text passwords” are used when accessing campus services), please identify who in your organization can discuss with any other Participant concerns that this might raise for them:

University policy prohibits the use of cleartext passwords over the network.                            

2.6       If you support a “single sign-on” (SSO) or similar campus-wide system to allow a single user authentication action to serve multiple applications, and you will make use of this to authenticate people for InCommon Service Providers, please describe the key security aspects of your SSO system including whether session timeouts are enforced by the system, whether user-initiated session termination is supported, and how use with “public access sites” is protected. 

While a final decision on SSO for federation has not been published, the current SSO system establishes a 10 hour global session enforced by the authentication system.  Based on the application owner’s risk assessment, applications can require re-authentication.  Users can terminate the global session at any time. Safe computing resources and policies are available to users using public access sites.  Periodic communications are distributed describing the benefits and best practices for SSO environments.

2.7       Are your primary electronic identifiers for people, such as “net ID,” eduPersonPrincipalName, or eduPersonTargetedID considered to be unique for all time to the individual to whom they are assigned?  If not, what is your policy for re-assignment and is there a hiatus between such reuse?

Each user is assigned a unique username ("PennName") and numeric ID ("PennID"), which in most cases stay with them for life.  While the PennID is immutable, the PennName can change in a limited number of circumstances which are documented in policy (  To accommodate this possibility, application providers who have registered an interest in a name are notified if that PennName changes.

Users with a persistent affiliation to the University are assigned authentication credentials ("PennKey") based on their PennName.  Guest PennKeys accounts are system generated codes which expire and are not re-used.


Electronic Identity Database

2.8       How is information in your electronic identity database acquired and updated?  Are specific offices designated by your administration to perform this function?  Are individuals allowed to update their own information on-line?

Information in the electronic identity database is fed from the source systems of records defined above in section 2.3.  Information in the electronic identity database is not updateable by users online.  Some directory attributes are updatable by users online.  There will be a dependency on required data and sources.

2.9       What information in this database is considered “public information” and would be provided to any interested party?

Generally, the University electronic identity database does not contain public information.  All dissemination of University stored information is governed by the University Office of Audit, Compliance and Privacy.  Dissemination of attributes through Shibboleth for internal and federated authentication would be based on Service Provider requirements and standard available attribute “blocks”.  These blocks of data would contain logical groupings of data for authentication and authorization (e.g. an InCommon block would contain the standard/required InCommon attribute for federation)                                                             

Uses of Your Electronic Identity Credential System

2.10   Please identify typical classes of applications for which your electronic identity credentials are used within your own organization. 

Classes of applications include, and not limited to, financial, administrative, research, operational and communication.

Attribute Assertions

Attributes are the information data elements in an attribute assertion you might make to another Federation participant concerning the identity of a person in your identity management system. 

2.11   Would you consider your attribute assertions to be reliable enough to:

[X] control access to on-line information databases licensed to your organization?

[X] be used to purchase goods or services for your organization?

[X] enable access to personal information such as student loan status?

Privacy Policy

Federation Participants must respect the legal and organizational privacy constraints on attribute information provided by other Participants and use it only for its intended purposes.

2.12   What restrictions do you place on the use of attribute information that you might provide to other Federation participants?

The expectation is that attribute information passed to service providers is only used for authentication and authorization decisions for the user’s access to the protected resources.                                  

2.13   What policies govern the use of attribute information that you might release to other Federation participants?  For example, is some information subject to FERPA or HIPAA restrictions?

The University Office of Audit, Compliance and Privacy provides oversight and policy guidelines for privacy issues. Attributes used for internal and Federated authentication would be subject to review based on current policy.

3.      Service Provider Information

Service Providers are trusted to ask for only the information necessary to make an appropriate access control decision, and to not misuse information provided to them by Identity Providers.  Service Providers must describe the basis on which access to resources is managed and their practices with respect to attribute information they receive from other Participants.

3.1       What attribute information about an individual do you require in order to manage access to resources you make available to other Participants?  Describe separately for each service ProviderID that you have registered.

N/A at this time.  No Service Providers are being registered.  It is anticipated that only attributes required for authentication and authorization decisions would required.                                                     

3.2       What use do you make of attribute information that you receive in addition to basic access control decisions?  For example, do you aggregate session access records or records of specific information accessed based on attribute information, or make attribute information available to partner organizations, etc.?

  N/A at this time.                                                                                                                          

3.3       What human and technical controls are in place on access to and use of attribute information that might refer to only one specific person (i.e., personally identifiable information)?  For example, is this information encrypted?

 N/A at this time.                                                                                                                           

3.4       Describe the human and technical controls that are in place on the management of super-user and other privileged accounts that might have the authority to grant access to personally identifiable information?

 N/A at this time.                                                                                                                           

3.5       If personally identifiable information is compromised, what actions do you take to notify potentially affected individuals?

 N/A at this time.                                                                                                                           


4.      Other Information

4.1       Technical Standards, Versions and Interoperability

Identify the version of Internet2 Shibboleth code release that you are using or, if not using the standard Shibboleth code, what version(s) of the SAML and SOAP and any other relevant standards you have implemented for this purpose.

 Shibboleth 2.1                                                                                                                             

4.2       Other Considerations

Are there any other considerations or information that you wish to make known to other Federation participants with whom you might interoperate? For example, are there concerns about the use of clear text passwords or responsibilities in case of a security breach involving identity information you may have provided?




[1] A general note regarding attributes and recommendations within the Federation is available here:

[2] "Member" is one possible value for eduPersonAffiliation as defined in the eduPerson schema.  It is intended to include faculty, staff, student, and other persons with a basic set of privileges that go with membership in the university community (e.g., library privileges).  “Member of Community” could be derived from other values in eduPersonAffiliation or assigned explicitly as “Member” in the electronic identity database.  See