Child pages
  • Assurance Implementation Example - Virginia Tech

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The InCommon Silver for Virginia Tech team interacted with the Virginia Tech Payroll and Human Resources offices to gain a good understanding of the identity information that is collected and entered into the ERP system when an employee is hired. Staff in the Hokie Passport Office confirmed identity proofing procedures used to obtain the university's ID card. The Director for Policy and Planning, the IT Security Office, the Office of Sponsored Programs, Student Network Services, and Internal Audit were all involved in the project and were kept informed of status through a project wiki space. The level of engagement with Internal Audit was high, including a pre-project briefing with the Director of Internal Audit, weekly meetings with the IT Auditor assigned to collect information and perform the verification, and working with the the Associate Director of Internal Audit to create the audit summary that was submitted to InCommon.    


What specific steps did you take to address the functional areas?


To enroll for an eToken PDC, the Subject presents all required credentials (including a valid current government-issued photo ID containing the subject's full name, date of birth, picture, and either an address or nationality) to the TAS operator. If the Subject proves to be eligible for a Silver PDC,TAS issues PDC on eToken with the "medium silver" Object Identifier (OID) as defined in the Virginia Tech User CPS. All other eToken PDCs are issued with "medium bronze" OID. Users wishing to access services that require the InCommon Bronze or Silver profile must authenticate to CAS using the eToken PDC. At authentication time, the CAS login handler recognizes the "medium silver" or "medium bronze" OID in the PDC, and passes information to Shibboleth that is used to determine if this person has authenticated with a credential that meets the Silver or Bronze profile. If the person qualifies, the Shibboleth IdP will then assert the applicable "silver" or "bronze" IAQ for this person to the SP. The SP will use InCommon metadata associated with the Virginia Tech entity id to determine whether or not Virginia Tech is certified to assert Bronze and/or Silver. 


4.2.7 Assertion Content



Communication between CAS and Shibboleth components of the IdP is achieved using a secure channel. XML digital signatures and encryption provide for non-repudiation and security, respectively, of messages sent from the IdP to service providers. 


4.2.8 Technical Environment