Welcome Guest / Please Login

Chapter 1. Federation Charter

1. Overview

This chapter provides a high level description of the creation and management of the UNC Federation. Subsequent sections will provide additional technical details, but the ultimate specific details and logistics will be left to the discretion of the managing entity, UNC - General Administration (GA). The goal of this chapter is to provide insight and understanding into Federation operations to enable members to sufficiently interact with the Federation. In addition, the transparent nature of the Federation will help ensure security and trustworthiness of the asserted attributes.

2. Role of UNC - General Administration

UNC - General Administration (GA) will serve as the administrative entity for the Federation. GA will maintain the authoritative list of registered participants, service providers, and identity providers. These lists will be appropriately signed by GA's certificate authority (CA) to ensure authenticity of the data. GA will be responsible for providing the necessary web interfaces to enable registry of service providers and identity providers for each participating member.

3. Governance

The day-to-day operations along with routine decision making will be handled by GA. However, the UNC Chief Information Officer's (CIO) council will have the ability to steer the Federation to the benefit of the collective community. The CIO council will have the opportunity to request changes, develop position papers, provide advice, and prioritize implementation schedules. As such, General Administration acts as the executor of these strategic directions and makes the technical implementation decisions required to meet the stated needs.

4. Participation

4.1. Eligibility

Initial participants will be constituent members of the University of North Carolina, and MCNC, an outside entity. The UNC Center for Public Television (UNC-TV) is considered a constituent member in this context. As an outside entity, MCNC may be required to operate under rules and regulations separate from constituent members of the University of North Carolina, in order to establish and maintain security for constituent members’ data.

4.2. Joining the Federation

As previously stated, outside entities will require sponsorship of an existing UNC constituent in order to join the Federation. The following process will be followed in order to determine admission:

  1. Apply for Admission - The joining entity will complete the admissions application in conjunction with their sponsoring entity. Once completed, that entity will officially submit it to General Administration. The admissions application will collect the following information:

    • From Outside Entity

      • Introductory statement

      • Reason for requesting membership

      • Benefits that the federation will gain if granted membership

      • Detailed responses to all the metadata from ???

    • From Sponsoring UNC Institution

      • Reason for sponsoring

      • Explanation of benefits to the institution

  2. Review by Panel - General Administration will work with the CIO council to develop a 5-6 member review panel. This panel will take the request under advisement to review the documentation and evaluate the appropriateness of the request. If the volume of these requests is high, the panel might become a standing subcommittee of the CIO council. Alternatively under a low volume of requests, panel membership will be more fluid and staffed on a case-by-case basis. The CIO council, in conjunction with General Administration, will have the ability to make this staffing determination based on the average volume of requests. The panel will make a recommendation about the inclusion or exclusion of the entity based on the admissions application and subsequent internal discussions. This recommendation will be in the form of a written position statement crafted by the chair of the panel.

  3. Legal Review - The legal staff at General Administration will review the application as well as the written recommendation from the review panel and provide a written recommendation about the potential inclusion or exclusion of the entity in question.

  4. Review by CIO Council - The CIO council will receive the written statement from the review panel and the legal staff. The panel will proceed to discuss and ultimately vote on the admission or exclusion of the entity. This vote includes the CIOs from the 16 Universities, UNC Public Television, General Administration, and the North Carolina School of Science and Math. A majority of votes is needed to carry the motion in either direction. CIO members are allowed to vote: "Include", "Exclude", or "Present". In the event of a tie, the CIO from General Administration will break the tie.

  5. Proceed if Accepted - If the CIO council approves the request, then the external entity is responsible for paying the required participation fees and proceeding with the remainder of the registration process (completing full metadata, registering systems, etc).

  6. Appeal if Denied - If the CIO council denies the request, then the external entity has the ability to appeal the decision by submitting a formal written statement to General Administration. This statement should explain the reasons for appeal and any new evidence that the review panel should consider. This action will return the process to step #2 and continue.

4.3. Participation Fees

The constituent members of UNC are not be required to pay any additional participation fees for the maintenance of the Federation. Entities not directly affiliated with UNC may be charged an additional participation fee to cover the operating costs of maintaining their membership. The exact amount of this fee will be set by the governing body after deliberating with the day-to-day operating personnel; these fees will be established as part of the evaluation process of the initial joining request. On an annual basis, the Federation has the option to revisit this fee structure due to changing market conditions and operating costs. This section will be replaced with the official fee policy once that determination has been made by the steering committee.

5. Registration

 

5.1. Participants

Each participating member of the Federation is required to register both an executive member and a technical member with General Administration. The executive member (likely the CIO) will represent the member in high level matters concerning Federation policy and decision making. The technical member will serve as the day-to-day technical contact responsible for ensuring providers are running and delivering accurate assertions from the underlying identity database. General Administration will establish out of band communication with these officers to enhance the level of assurance surrounding the validity of the member. See ???, for details concerning the establishment of these officers.

5.1.1. Digital Certificates

Successful operation of the Federation will require signed digital certificates for: 1) attribute signing, 2) attribute encryption, and 3) normal web server SSL encryption. General Administration will serve as the certificate authority (CA) for the digital certificates required for attribute signing and attribute encryption. Each member will have the appropriate web interface to upload Certificate Signing Requests (CSR) for subsequent signing and delivery. General Administration will provide this framework for both identity providers (IDP) and service providers (SP) who are members to the Federation. These digitally signed public keys will be part of the metadata files that create the trust fabric for the Federation.

Each member will be required to supply its own web server SSL certificates for both its IDPs and SPs. These SSL certificates must be signed by a well-known CA in order to avoid unwanted security notifications with the user's web browser. Since General Administration is not a globally recognized certificate authority, then these certificates must be obtained by alternate means.

5.2. Registered Systems

The purpose of the federation is to create an authoritative repository for all valid identity providers and service providers within the University of North Carolina. As such, each entity is responsible for registering all such systems with the Federation metadata. As discussed in the previous section, this authoritative repository is created by signing certificate requests with the federation certificate authority. Therefore, each registered system represents one public/private key pair with appropriate signature from the authority.

To accomplish this system registration, the technical contact for each entity will be provided access to the federation administrative web interface. This interface will enable the technical contact to add, update, and remove, and revoke registered systems from the federation. General Administration will make efforts to ensure that certificate signing requests are valid and appropriate by confirming such electronic requests via an alternate means such as a telephone call or an email. General Administration will maintain a production and development version of the federation metadata for the convenience of its members.