Global Operational Level Agreement between Service Providers and UWM Identity and Access Management (IAM) Services
The Identity and Access Management (IAM) Program provides a portfolio of service functions to the UWM campus to enable access to services needed by the UWM community. A primary function is a centralized authentication service to enable secure access to web-based applications offered by a "Service Provider" using the SAML protocol. This service has been branded the UWM 1Login Service.
- Service Owner -- The role of "service owner" is accountable for the delivery of a specific service to the campus community and carries with it a series of responsibilities. Each service provider must have a designated "service owner" before it can be integrated in UWM Identity and Access Management (IAM) infrastructure.
- IAM Group Manager -- The role of "IAM Group Manager" is accountable for the delivery of Identity and Access Management (IAM) services needed to support service providers offering services to the UWM community.
Each service provider must register with The UWM 1Login Service before being integrated. Registration is accomplished using the following process:
- Before registration, the "Service Owner" must have the following:
- The ePantherID of the designated "Service Owner"
- The ePantherID of a technical contact for UWM maintained custom services
- The EntityID of the Service Provider
- NOTE - For UWM ColdFusion Applications, the EntityID should be the actual web site address (not a vanity address)
- Type of environment (Production, QA, Test, Development, Vendor Hosted, Other)
- A brief service description
- Registration indicates acceptance of accountability by the "Service Owner" of the obligations outlined in the OLA section of this document.
- To request integration with the UWM 1Login Service, the designated "Service Owner" must register. Please email firstname.lastname@example.org to start the registration process. Please include the email address of the service owner and the purpose of the service. A member of the IAM Team will be in contact to assist with the registration.
Operational Level Agreement (OLA)
The Service Provider / Service Owner Shall:
- comply with Wisconsin State Law and university policy regarding entering into an agreement to purchase software or use an external service provider. NOTE - Regardless of cost, only designated representatives of UWM can enter into contracts on behalf of UWM. Failure to follow procurement procedures will result in personal liability.
- involve UWM Information Security Office during selection and evaluation of new IT services to ensure protections for privacy and confidential data.
- involve UWM Identity and Access Management Program during selection and evaluation of new IT services to ensure compliance with standards for UWM IT environment.
- comply with any FERPA directory hold, Wisconsin Public Records Law and UWM defined directory hold privacy assertions according to established guidelines.
- enforce guidelines for the display of directory information in accordance with FERPA and Wisconsin Public Records Law according to established guidelines.
- define who is authorized to access the service and how access is granted.
- enforce authorization access controls for the service.
- define how support is provided for the service.
- publish the support procedure for the service.
- provide support for customers of the service.
- address operational issues with the service.
- manage the vendor relationship for vendor providing service.
- maintain appropriate technical capability and a "Technical Contact" for custom developed services.
- communicate changes to the IAM Group Manager that affect customer access to the service.
The UWM 1Login Service Shall:
- provide SAML 2.0 based security assertions to the service provider suitable for service authentication.
- provide attributes in the security assertion that can be used to authorize access to the service provider based on the individual requirements of the service provider.
- enforce privacy assertions authorized by FERPA and Wisconsin Public Records Law.
- provide attributes in the security assertion that can be used to limit the display of general directory information by service provider based on the individual requirements of the service provider.
- contact Service Owners of registered service providers regarding service maintenance or outages related to the UWM 1Login Service.
- work with Service Owner and Technical Contact(s) to integrate approved service providers with the UWM 1Login Service.
- respond to service provider specific configuration changes at the request of the Service Owner.
- forward to the IAM Steering Committee for review service providers that do not have a designated service owner.
Recommended Good Practices for Service Providers
The following are recommendations for service providers:
- Publishing a Service Catalog entry for the service provider fulfills several obligations of the OLA.
- Working with hosted service vendors that are members of the InCommon Trust Federation can simplify integration.
- "Assertion" - Identity information provided by the UWM 1Login Service to a Service Provider.
- "Custom Service" - Any locally maintained software or service development that provides a custom service or modifies a service that is vendor or community provided.
- "Service Provider" - The integration point between a service and the centrally maintained ePantherACCOUNT
- "Service Owner" - Accountable for the delivery of a specific service to the campus community
- "Technical Contact" - Responsible for operation and support of a custom service
- Draft/Public Comment - RANKM - Nov. 2011
- Edits to remove DRAFT label - RANKM - Jan. 2012
- Edits to reflect service name change - CSPADA - March 2013