...
Subject Records are managed appropriately so that Assertions issued by the IdP are valid. IdPO management practices are summarized below.
...
Evidence of Compliance:
...
For the purpose of InCommon Silver, Subject records exist in the Enterprise Directory and in the Virginia Tech Certificate Authority's (VTCA) Public Key Infrastructure (PKI). The management of the Enterprise Directory is done in accordance with policies and procedures developed by the Identity Management Services (IMS) office within Information Technology. The VTCA PKI is managed in accordance with policies and procedures for the Virginia Tech User CA described in the User CPS. The VTCA is governed by the Virginia Tech PKI PMA. Subject records from the Enterprise Directory are used for eligibility and identity proofing during registration to enroll for a Virginia Tech PDC on an eToken. Some of the attribute information comprising attributes of the PDC is retrieved from the Subject's Person record in the Enterprise Directory, thus linking the subject records from the Enterprise Directory with those in the VTCA PKI.
The eToken PDCs have a validity period of two years from the date of issuance. The PDC Usage Agreement requires eTokens to be returned at the end of employment or enrollment, and employee Separation Notice assigns departmental responsibility for collecting them. Supervisors are instructed to return any eTokens they collect to the nearest eToken issuance location, where the certificates will be revoked. (See PDC FAQ.)The certificate revocation list is checked during CAS authentication, and authentication is denied if the certificate has been revoked.
...
Evidence of Compliance:
...
To enroll for an eToken PDC, the Subject presents all required credentials (including a valid current government-issued photo ID containing the subject's full name, date of birth, picture, and either an address or nationality) to the TAS operator. If the Subject proves to be eligible for a Silver PDC,TAS issues PDC on eToken with the "medium silver" Object Identifier (OID) as defined in the Virginia Tech User CPS. All other eToken PDCs are issued with "medium bronze" OID. Users wishing to access services that require the InCommon Bronze or Silver profile must authenticate to CAS using the eToken PDC. At authentication time, the CAS login handler recognizes the "medium silver" or "medium bronze" OID in the PDC, and passes information to Shibboleth that is used to determine if this person has authenticated with a credential that meets the Silver or Bronze profile. If the person qualifies, the Shibboleth IdP will then assert the applicable "silver" or "bronze" IAQ for this person to the SP. The SP will use InCommon metadata associated with the Virginia Tech entity id to determine whether or not Virginia Tech is certified to assert Bronze and/or Silver.
...