You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Service

Reassign

Pwd Policies

MFA

ID Proof

Attributes

Attr Stability

Release

Consent

Consent Expr

MFA Expr

Directed vs. Static

Mission

Stability

EULA/ Terms

Cost

Audits

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
  • Account Management Policies
    • Reassign: Policies around reassignment of accounts. Specifically, whether the "key identifier") reassigned to different users.
    • Pwd policies: Overview of password requirements (related to complexity, guessing resistance, etc.)
    • MFA: Does the vendor offer Multi-Factor support.
  • Account Identity Vetting
    • ID Proof: Is there any identity proofing done by the External provider that would allow a campus to trust attributes other than Ext ID-sourced IDs (like "Account Name" and "email")
    • Attributes: Related to ID Proofing, what attributes are collected and how are they proofed.
    • Attr Stability: Stability of the External ID and attributes over time
  • AuthN Policies
    • Release: Attribute release practices, including
      • What attributes are released?
      • What is the granularity of data release? (Attributes vs. bundles)
    • Consent: Is there a user consent process before data is released to SPs.
    • Consent Expr
      : How does the provider express that user consent was provided for release
    • MFA Expr: How do they express whether Multifactor has been used?
    • Directed vs. Static: Does the External ID provider release a directed (per SP) or static (correlatable across SPs) identifier?
  • Company Details
    • Mission: Mission of the company, including:
      • Private vs. public
      • Privacy focus
    • Stability: Stability of the vendor and the service that the vendor offers
      • Likely this is not directly measurable, and would be more along the lines of "how long in business", "how long service has been operational", "how many users using their IDs", etc.
  • Other Concerns
    • EULA: Are there terms the External provider applies that are potentially in conflict with general campus policies?
    • Cost: Is there a cost to the user or the organization to leverage the IDs?
    • Audits: What 3rd party certifications or audits are available to confirm function of service?
  • No labels