InC-Student: Notes from 3/20/2009

----------
Attending

Andrea Beesing, Cornell University
Brendan Bellina, University of Southern California
Steven Carmody, Brown University
Renee Frost, Internet2
Karen Hanson, University of Wisconsin-Madison
Nancy Krogh, University of Idaho
Renee Shuey, Penn State University
Ann West, Internet2/EDUCAUSE
Dean Woodbeck, Internet2 (scribe)

----------
Action Items

(AI) RL Bob Morgan will revise the Attribute Release and FERPA document that is on the wiki.

(AI) Ann West will distribute links to InCommon policies that relate to how SPs can use data they may gather via the attribute exchange process.

----------
Update from Stanford/National Student Clearinghouse

At CAMP, a number of institutions expressed an interest in joining the National Student Clearinghouse pilot. Bruce Vincent (Stanford) indicates that some standardization of the data needs to occur for other institutions to join. Ann West is setting up a wiki that Stanford can use to distribute information about participating in the pilot.

----------
Update - AACRAO Article

An article based on Wisconsin's work on IdM governance will appear in the next issue of the AACRAO College and University Journal. Karen Hanson, Ann and Dean will develop on a follow-up article about IdM resources based on the February 2009 CAMP. Mark McConahay has also offered to help. The issue with this article will appear around the time of the AACRAO Tech meeting.

----------
Update - AACRAO Tech

Mark McConahay is putting together an IdM track for the AACRAO Tech meeting; Ann and Andrea will be presenting.

----------
User Consent Plug-in for Shibboleth

Steven Carmody provided an overview of uApprove, a user consent plug-in for Shibboleth developed by SWITCH, the Swiss higher education and research network. uApprove provides a user the ability to manage their identity by approving/disapproving the attribute release to service providers. http://www.switch.ch/aai/support/tools/uApprove.html

The first time a browser user encounters Shibboleth, uApprove pops up a terms-of-use page, customized by the IdP. To get past this page, the user has to accept the terms, then confirm that choice.

The uApprove plug-in provides a customized browser page the first time a user accesses an SP. The page lists the attributes being released to that SP. The user must approve the release and click through a confirmation page. If the user disapproves, the transaction ends. uApprove also allows users to un-confirm a previous decision and logs all confirmations to a database.

There were questions about the amount of training necessary for students and other users to understand and use this tool. A user study may help. There was also a discussion about related FERPA requirements. By allowing for user consent, it seems that there no FERPA concerns with this tool, assuming that identity-proofing is done properly in the first place. Students would need to be informed about what they are agreeing to release.

There was also a discussion about the InCommon policies regarding how SPs can use data that they may collect through attribute exchanges. (AI) Ann will send links to such policies to the list. There were also a series of questions about how uApprove would handle more-complex scenarios than, say, enrollment verification.

The major questions that came from this discussion were:

  • What are the policies and agreements concerning what an SP does with data once it is passed from the IdP.
  • What is institution's responsibility for protecting FERPA-protected data vs. the student's agreement to release the data? When is that handoff made?

--------
Next Call - April 3, 2009 at 3:00 pm (EDT)

  • No labels