Result Summary for Survey:"Guest Identities" Survey

Internet2 MACE-Dir(ectories) Working Group "Guest Identities" Survey Results

In July 2011, the MACE-Dir working group distributed this survey, the development of which was led by David Bantz, U. Alaska. Respondents included representatives from a wide spectrum, ranging from small private colleges to large public universities, and included some from outside the US.

Institutions of learning often need to provide access to electronic services or resources to individuals who do not have a formal relation with the institution either as student or employee. Such users are often referred to as guests or affiliates or sponsored members of the institution (that is, rather than students, faculty, or staff). Access to a specific services may be provided to guests by ad hoc or exception processing, but such manual and application-specific processing easily leads to cumbersome and slow provisioning, inconsistent user experience, and consequent support headaches. Many institutions seeking to streamline, scale, and rationalize authentication and privilege management for an increasing number of services have developed systems (technologies and business processes) to manage guest identities - that is, to create and manage digital identities for guests, affiliates, or sponsored members within or parallel to management of digital identities for students and employees. This survey aims to collect information about how institutions have addressed this need. The results should indicate both the breadth of approaches already deployed and inform decision-making by institutions looking to develop solutions.

0. Responding Institutions
		Response Percent	Response Count
Institution view		100.0%	61

1. Who or what processes can trigger the provisioning of guest identity?
	answered question	50
	skipped question	11
		Response Count
view		50

2. Are guest identities:
	answered question		46
	skipped question		15
		Response Percent	Response Count
in a separate data store?		34.8%	16
in same data store as identities of employees and students?		65.2%	30
Other (please specify) view			9

3. Do guest identitiess require an explicit sponsor or approval - an explicitly designated person or unit or system responsible for the guest identity?
	answered question		49
	skipped question		12
		Response Percent	Response Count
Yes		85.7%	42
No		14.3%	7
Other (please specify) view			9

4. What data is requested about the guest?
	answered question		47
	skipped question		14
		Response Percent	Response Count
Legal name		93.6%	44
SS# or other government identifier		31.9%	15
Date of Birth		46.8%	22
E-mail address		70.2%	33
Other (please specify) view			27

5. Is supplied data verified or vetted?
	answered question		46
	skipped question		15
		Response Percent	Response Count
Yes		30.4%	14
No		69.6%	32
Other (please specify) view			9

6. Is data matched against existing systems of record to avoid duplicates?
	answered question		47
	skipped question		14
		Response Percent	Response Count
Yes		68.1%	32
No		31.9%	15
Other (please specify) view			6

7. (How) is the source of this data retained? (for example, saving a copy of a form, a copy of a photo ID)
	answered question	45
	skipped question	16
		Response Count
view		45

8. Do guests receive a NetID (a unique identifier) similar to that provided students and employees?
	answered question		44
	skipped question		17
		Response Percent	Response Count
Yes		84.1%	37
No		15.9%	7
Other (please specify) view			10

9. What precludes a collision between NetIDs issued to guests with NetIDs for students or employees?
	answered question		49
	skipped question		12
		Response Percent	Response Count
Single registry for guests, students and employees alike		51.0%	25
Non-overlapping namespaces (guests' NetIDs syntactically distinct from those for students & employees)		49.0%	24
Other (please specify) view			3

10. Is there an explicit indication in identity record of guest origin (for example, an indicator of the sponsor)?
	answered question		49
	skipped question		12
		Response Percent	Response Count
Yes		71.4%	35
No		28.6%	14
Other (please specify) view			4

11. What eduPersonAffiliation values are or may be provisioned to guests?
	answered question	48
	skipped question	13
		Response Count
view		48

12. Does the guest identity receive automatically-provisioned service accounts that employees or students automatically receive (e.g., automatically provisioned e-mail account or address in the domain of the institution)?
	answered question		41
	skipped question		20
		Response Percent	Response Count
Yes		26.8%	11
No		73.2%	30
Other (please specify) view			15

13. Do guests appear in the institutional on-line directory?
	answered question		41
	skipped question		20
		Response Percent	Response Count
Yes		19.5%	8
No		80.5%	33
Other (please specify) view			8

14. If guests appear in the institutional on-line directory, are they designated as guests or affiliates to distinguish from employees and students?
	answered question		21
	skipped question		40
		Response Percent	Response Count
Yes		38.1%	8
No		61.9%	13
Other (please specify) view			10

15. If guests appear in the institutional on-line directory, is the sponsor shown with the record?
	answered question		22
	skipped question		39
		Response Percent	Response Count
Yes		4.5%	1
No		95.5%	21
Other (please specify) view			9

16. Can guests edit their record with self-service data (contact information, description, etc.)?
	answered question		42
	skipped question		19
		Response Percent	Response Count
Yes		14.3%	6
No		85.7%	36
Other (please specify) view			5

17. How do guests receive an initial password, claim accounts, or reset passwords?
	answered question	48
	skipped question	13
		Response Count
view		48

18. Can guests rely on external authentication (e.g., Facebook or Google) for access to institutional information resources?
	answered question		46
	skipped question		15
		Response Percent	Response Count
Yes		4.3%	2
No		95.7%	44
Other (please specify) view			4

19. If the answer to the previous question was no, has external authentication (e.g., Facebook or Google) for access to institutional information resources been requested?
	answered question		42
	skipped question		19
		Response Percent	Response Count
Yes		26.2%	11
No		73.8%	31
Other (please specify) view			4

20. Are guest identities asserted with an explicit level of assurance?
	answered question		47
	skipped question		14
		Response Percent	Response Count
Yes		8.5%	4
No		91.5%	43
If yes, how? view			9

21. What is the maximum amount of time a person can be affiliated as a guest before requiring renewal?
	answered question	48
	skipped question	13
		Response Count
view		48

22. What other events can lead to deprovisioning or invalidating a guest identity?
	answered question	46
	skipped question	15
		Response Count
view		46

23. If guests are explicitly sponsored, what occurs when the sponsor leaves?
	answered question	44
	skipped question	17
		Response Count
view		44

24. Do you control guest identities so as to provision only a single guest identity to a person?
	answered question		48
	skipped question		13
		Response Percent	Response Count
Yes		58.3%	28
No		41.7%	20
If yes, how? view			26

25. Are guest accounts ever converted to non-guest identities using the same identifier?
	answered question		45
	skipped question		16
		Response Percent	Response Count
Yes		44.4%	20
No		55.6%	25
Other (please specify) view			8