Child pages
  • "Guest Identities" Survey
Skip to end of metadata
Go to start of metadata

FINAL: Currently being put into SurveyMonkey for data collection. Thus this page has been frozen for now, with no further editing for the time being.

NOTE: You must be logged in to edit, see access instructions at

OR send mail with your comments and suggestions to Steve Olshansky, MACE-Dir Flywheel <steveo AT internet2 DOT edu>.


This survey seeks information about managing institutional "guests" - people, attributes, and affiliations with non-authoritative or non-vetted sources of data, such as self-assertion, or department-sponsored individuals.

NOTE: Contact info is for internal purposes only, for use in contacting you later if questions arise. Any public reports will EXCLUDE your info unless you give us permission to include it.

  1. Name
  2. Title
  3. Institution
  4. May we identify you in public reports resulting from this survey?

Guest survey questions

  1. Trigger or initiation of a guest identity
    • Who or what processes can trigger the provisioning of guest identity?
    • Are guest identities in a separate data store or in same data store as identities of employees and students?
    • Do guest identitiess require an explicit sponsor or approval - an explicitly designated person or unit or system responsible for the guest identity? 
  2. Guest identity data
    • What data is required about the guest? legal name, SS# or other government identifier, dob, email address, other?
    • Is supplied data verified or vetted?  Is data matched against existing systems of record to avoid duplicates?
    • (How) is the source of this data retained? (for example, saving a copy of a form, a copy of a photo ID)
    • Do guest receive a netID or local equivalent in the same namespace as employees and students?
      If a separate namespace, how is namespace collision avoided?
    • Is there an explicit indication in identity record of guest origin (for example, an indicator of the sponsor)?
    • What eduPersonAffiliation values are or may be provisioned to guests?  
  3. Uses of guest identity
    • Does the guest identity receive automatically-provisioned service accounts that employees or students automatically receive
      (e.g., automatically provisioned email account or address in the domain of the institution)?
    • Do guests appear in the institutional on-line directory?  Designated as guests or affiliates to distinguish from employees and students?  Sponsor shown with record?
    • Can guests edit their record with self-service data (contact information, description, etc.)?
    • How do guests receive an initial password, claim accounts, or reset passwords? 
    • Can guests rely on external authentication (e.g., Facebook or Google) for access to institutional information resources?  
      Has this feature been requested?
    • (How) are guest identities asserted with an explicit level of assurance?
  4. Deprovisioning
    • What is the maximum amount of time a person can be affiliated as a guest before requiring renewal?
    • What other events can lead to deprovisioning or invalidating a guest identity?
    • If guests are explicitly sponsored, what occurs when the sponsor leaves?
    • (How) do you control guest identities so as to provision only a single guest identity to a person?
    • Are guest accounts ever converted to non-guest identities using the same identifier?

  • No labels


  1. Survey tool: Survey Monkey (or Qualtrics, used by Keith and UW-Madison)?

    ultimately send to lists: IDM, MACE-Dir, REFEDS( there an email list?), Middleware-Announce (, CIO if moderator agrees,...

    1. FYI The mailing list is you can subscribe via or read the archive at

  2. Some quick thoughts and observations:

    Why does the current draft ask about "the maximum amount of time a person can be affiliated on a guest account" in both sections 1 and 3?

    Shouldn't there be a section 4 specific to issues of deprovisioning, deactivation, purging vs deactivated but present, and the resulting impacts on associated authorization management systems?

    The current survey is not well structured for people responding from organizations which have multiple guest or affiliate systems.

    Section 2 asks about "eduPersonAffiliation", but does not ask if guest accounts can be granted entitlements or if IdP is issuing different scopes based on an account's affiliation.

    Are any respondents planning to implement a process which will enable an IdP to assert a higher than minimum LOA for specific guests or affiliates? (relevant to section 2)

    1. Thank you.  I've tried to reflect these excellent comments in the current draft.

  3. Modest revisions for clarity and consistency of language, per detailed comments from Mark Scheible.