Personal certificates requirements in Sunet TCS

Personal certificates within Sunet TCS Personal is primarly used for mail (S/MIME) or to login to GRID systems. Unlike Sunet TCS server and code signing certificates, it is the user that shall use the certificate who requests it from a self-service service. There is thus no intermediary between the user and the certificate service in this case.

The user will be identified via a SWAMID federation login to a web-based tool in a way that reminds you how the login to SUNET's e-meeting service works. An important difference is that this service have higher and more specific requirements for how the user is identified in the home organisation.

Sunet TCS Personal requirements on the home organisation identity processes

  • The home organisation, e.g. the university, must be approved for SWAMID AL2.
  • The user that will request a personal certificate must fulfil proofing and authentication requirements for SWAMID AL2.

Transition period

Organisations that was approved for Sunet TCS Personal earlier than the year 2016 have a transition period until the end of 2017 before the requirement for SWAMID AL2 applies. Before SWAMID AL2 was defined there was a special identification process with valid ID documents for Sunet TCS Personal.

Sunet TCS Personal requirements on certificate revocation

If a person is suspended from from his user account, e.g. termination of employment, the Sunet TCS member is required to ensure that a certificates issued by the person are revoked. This can be manually be done by an administrator in the same web interface that is used to issue the certificates. There is also an API that can be used to automatically revoke certificates.

Technical requirements on the home organisation SAML WebSSO Identity Provider

The TCS Personal Certificate Service is delivered via a special web portal, DigiCert SAML portal. An Identity Provider signals that both the organisation and the user meets the requirements for issuing personal certificates by setting a value for the eduPersonEntitlement attribute at each login to the web portal. This value may only be set for organisations and users who meet the requirements of SWAMID AL2.


TCS Service

URL

SP entityID

eduPersonEntitlement

TCS Personal

https://www.digicert.com/sso/

https://www.digicert.com/sso/

urn:mace:terena.org:tcs:personal-user

urn:mace:terena.org:tcs:escience-user


For help in Swedish on how to configure Shibboleth IdP look at the SWAMID Wiki page "Personliga certifikat i Sunet TCS".

  • No labels