...
The most critical responsibility that an Identity Provider Participant has to the Federation is to provide trustworthy and accurate identity assertions. It is important for a Service Provider to know how your _electronic identity credentials_ are issued and how reliable the information associated with a given credential (or person) is.
...
If you are an Identity Provider, how do you define the set of people who are eligible to receive an _electronic identity_? If exceptions to this definition are allowed, who must approve such an exception?
...
Please describe in general terms the administrative process used to establish an electronic identity that results in a record for that person being created in your _electronic identity database_? Please identify the office(s) of record for this purpose. For example, "Registrar's Office for students; HR for faculty and staff."
...
The University implements SSO via the JA-SIG Central Authentication Server (CAS), which is branded as the UH Web Login. The UH Web Login has an 8-hour session timeout and also uses session cookies for the ticket granting ticket (TGT) cookie. The 8-hour timeout expires any CAS session that is older than 8 hours. If a session (determined via a user's TGT) is over 8 hours old, the credentials will have to reentered for access to a SSO resource. The TGT cookie is destroyed when the web browser is closed, thereby ending the CAS session. The next time the person tries to access a SSO resource, CAS will ask again for credentials.
2.7
Are your primary _electronic identifiers_ for people, such as "net ID," eduPersonPrincipalName, or eduPersonTargetedID considered to be unique for all time to the individual to whom they are assigned? If not, what is your policy for re-assignment and is there a hiatus between such reuse?
...