Assurance

["Roy, Nicholas S" <>]

Some kind of generalized management assertion could be created and contributed here:

https://spaces.internet2.edu/display/InCAssurance/4.2.5+Authentication+Process

I’d encourage interested parties to take a shot at writing one and when we get all the generalized management assertions put together (that we can) we can run it by the Big Ten auditors and/or other auditors.

Jim Green, if you’re on this list- would it be a good idea to try to do a session on generalized management assertions on the regular assurance group call, if that sounds good to Ann and the rest of the group?

Nick

From: [mailto:] On Behalf Of Cantor, Scott
Sent: Wednesday, August 08, 2012 8:28 AM
To: <>
Cc: ; Russell J Yount
Subject: Re: [Assurance] Addressing InCommon IAP & Shibboleth IdP

 

On Aug 8, 2012, at 8:02 AM, "Russell J Yount" <> wrote:

I could not find references on wiki.shibboleth.net as to how Shibboleth IdP handles sessions with enough details to point an auditor too.

 

Out of curiosity, is there any product, or indeed web application that does document that in such detail? I ask because it reflects on the wisdom of that level of detail in the document.

How have others addressed this area? Would it make sense for the InCommon Assurance group to put some text together for a stock Shibboleth installation and perhaps for common add-ons such as the Ohio State Custom Login Handler which provides technical details that one could point an auditor to?

 

What does an auditor require? Is a statement to the truth of the requirement sufficient? And how, again, is anybody running, say, ADFS expected to get their answer?

 

-- Scott