HOME / GET STARTED / HARVARDKEY APPLICATION INTEGRATION / POLICY /

Roles and Responsibilities of Application Teams vs. IAM in the Integration Process

As a member of the application team, you will be coordinating with the IAM team to get your application integrated with HarvardKey. Before requesting integration, you should be familiar with your roles and responsibilities as well as the role that IAM team members play throughout the integration process.

 

 

Roles and Responsibilities 

 

Application Owners

  1. Complete a preliminary application registration form, maintain the data, and keep it updated
  2. Allow for enough time during their application development cycle for consultation and integration with HarvardKey
    1. Application owners new to HarvardKey should review the HarvardKey Application Integration Services section of the IAM website and then schedule time to consult with the IAM team
  3. Provide technical resources to collaborate with the IAM team during the application integration process. (If a vendor is handling the technical configuration, have them identify a technical representative to serve in this role.) Technical resources should:
    1. Become familiar with authentication and authorization practices and supported CAS/SAML protocols
    2. Have the necessary access to configure authentication on the application end
    3. Understand attributes required by the application and determine the unique identifier
    4. Answer questions required to finalize authentication design (e.g., whether the application can handle an encrypted token, whether the application requires a name ID)
  4. Configure the protocol-specific components of authentication in the service provider application in consultation with external documentation 
  5. Manage the lifecycle of SAML SP Signing and Encryption Certificates
    1. Generate signing and encryption certificates with a minimum expiration of three (3) years, consistent with InCommon Federation best-practices. IAM recommends generating long-term self-signed certificates.
    2. Monitor the expiration date of the certificate(s) and submit a request to IAM to replace the certificate a minimum of two weeks in advance of expiration
  6. Be a proper steward of attribute data in alignment with the Standards for Attribute Release section of this policy.
  7. Direct users to the official HarvardKey credential collector (sign in page) for entering their authentication credentials (e.g., ID and password pair). The user must be redirected to this page and the page must not be presented to the user via web frames or any other method.
  8. Secure the application to ensure that only users with a valid assertion are granted access. To secure application access, IAM provides a single assertion upon login and blocks or allows the authentication request based on authorization filters. IAM is not restricting user access beyond initial authentication. Session management is the responsibility of the application. 
  9. Manage the provisioning of access and revocation of access for their application.
  10. Ensure that the application team and third party vendors comply with relevant Harvard policies and guidelines including but not limited to the Information Security Policy, Accessible Technology Procurement and Development Policy, the General Records Schedule and Harvard’s data privacy guiding principles. 
  11. Review the application registration data annually
  12. Monitor application availability using a URL that does not require a HarvardKey login. Report unplanned application outages likely to result in significant Service Desk traffic by emailing huit-supportctr@mailman.fas.harvard.edu and iam_help@harvard.edu.  
  13. Notify IAM of faults or issues (e.g., breach) by emailing iam_help@harvard.edu 

IAM

  1. Provide and maintain the HarvardKey authentication and authorization service 
  2. Routinely update and patch the platform with minor releases and security patches 
  3. Monitor service availability and communicate service interruptions or degradation through standard HUIT service management channels
  4. Consult with business owner and customer technical contact on:
    1. Eligibility for HarvardKey integration
    2. Appropriate authentication and authorization design
  5. Configure the Identity Provider (IdP) based on the registration request submitted by the customer and any subsequent update request
    1. Apply authorization filters to ensure that users have least privilege 
    2. Set Harvardkey idle session timeout to two hours
  6. Notify application owners with problems or faults with a registration 
  7. Maintain knowledge articles and resources