Shibboleth Deployment Checklist
The checklist below provides a list of the policy, process, and technical steps for each deployment stage. Use this list as a guide, not a requirement; you may need to work through only a subset of these actions.
Stage 1: Intra-campus Web Single Sign-on - Central Identity Provider
	Policy Steps
			Define who establishes various policies related to single sign-on (SSO) and authentication
			Have basic identity management policies in place, including data and service stewardship responsibilities and use of the system
			Have policy in place specifying whether NONE/SOME/ALL campus authenticated web sites are REQUIRED to use the central single sign-on system
	Business Practice Steps
			Create Help desk support for users encountering problems accessing central web sites protected by SSO
			Reliably issue credentials to on-campus faculty/staff/students
			Create Help desk support for users encountering problems accessing department web sites protected by SSO
	Technical - Basic Identity and Access Management Steps
			Provision/de-provision accounts for and authenticate on-campus faculty, staff, and students
			Provision/de-provision accounts for and authenticate other constituencies (e.g. applicants, alums, affiliates)
	Technical - Shibboleth Software Steps
			Install/operate/manage Shibboleth identity provider software
Stage 1: Intra-campus Web Single Sign-on - Central and Department Service Providers
	Policy Steps
			Define how often department service providers should refresh their metadata
			Promulgate policy describing process and constraints when the service provider is compromised
			Define minimum operational and environmental requirements for the remote server/application
			Define policies on log retention at service providers
	Business Practice Steps
			Create process to register a new service providers (e.g. site inspection requirements)
			Create problem resolution process for when users cannot access department-supported service provider
			Create process for service providers to report abuse of their site (e.g. such as by anonymous users)
	Technical - Basic Identity and Access Management Steps
			Provide tech support to department service provider sites, including documentation describing the web SSO service (description, process to participate, etc)
	Technical - Shibboleth Software Steps
			Manage the metadata describing department service providers and provide mechanism for distribution
			Choose approach to PKI trust within the campus federation (rooted, self-signed)
			Provide installation instructions, configuration files and other local files (e.g. error pages, logos ) customized to the campus for the department sysadmins
Stage 2: Attribute Delivery - Central Identity Provider
	Policy Steps
			Identify attribute source systems and define and describe the set of attributes that are available
			Identify who governs the decision to release attribute X to service provider Y
			Develop policy defining, in a general way, which services are eligible to receive which attributes
			Achieve buy in to attribute release process from Identity stakeholders
	Business Practice Steps
			Define problem escalation procedure, such as when the wrong attributes are sent to a service provider
			Define process to follow when n service provider requests an attribute that is not currently available as defined by the policy above
	Technical - Basic Identity and Access Management Steps
			Maintain a minimal set of attributes describing each user
			Populate eduPerson attributes for each user
			Manage entitlement values on user objects
			Provide support for groups in the local directory and configure Shibboleth to use them
	Technical - Shibboleth Software Steps
			Configure the identity provider attribute resolver for the appropriate sources
			Identify who is responsible for editing/implementing the attribute release policies
Stage 2: Attribute Delivery - Central and Department Service Providers
	Policy Steps
			Develop policy governing use of attributes by service providers such as attribute retention, sharing, etc.
	Business Practice Steps
			Define process an service provider would use to request attributes and the process used to respond to the request
	Technical - Shibboleth Software Steps
			Document how a service provider's web server could authorize users given the provided attributes
			Document how an application could use the supplied attributes in alternative ways, such as for customization or form completion
Stage 3: Inter-campus Federation - Central Identity Provider
	Policy Steps
			Ensure compliance with federation policies
			Publish identity management and identification and authentication practice, if required
	Business Practice Steps
			Define process for a) a department requesting an attribute release policy referring to a remote site, and b) central IT reviewing, creating, and managing the attribute release policy
			Define help desk process for when user encounters a problem accessing remote sites
	Technical - Basic Identity and Access Management Steps
			Ensure compliance with federation attribute practice
	Technical - Shibboleth Software and Federation Requirements Steps
			Follow technical steps to join the desired federation
			Configure identity provider software to use federation metadata and credentials and refresh when required
Stage 3: Inter-campus Federation - Central and Department Service Providers
	Policy Steps
			Ensure SP is compliant with federation policies
	Business Practice Steps
			Ensure service provider has defined problem resolution process for remote users
			Create process for department service provider to ask to be added to federation metadata
	Technical - Shibboleth Software and Federation Requirements Steps
			Add service provider information to the federation metadata
			Configure serviceprovider software to use federation metadata and credentials and refresh when required