Before you provide any service to your users, you must properly verify their identification. Similarly, CalNet expects and requires its campus partners to ensure that proper identity verification is performed before people are entered into a system that will result in them getting CalNet credentials. Below are two methods of identity verification:
Face-to-Face Requirements
The UC Trust policy states: "A government or University issued ID with a picture must be presented to and verified by an officer of the credential provider as belonging to the registrant."
Simply put, you must look at a user’s Federal or State-issued photo ID, such as a driver license, to confirm the user’s identity in person before providing the person information from their record or performing an action. Your doing so ensures that UC Berkeley complies with UC Trust standards.
So please remember: NEVER perform an account action, provide account information to a user, or enter a new user into a system that results in CalNet credentials before you have verified the user's identity! The best way to verify a user’s identity is to check the federal or state-issued ID in person.
Remote Identification Requirements
The UC Trust federation has specific guidelines for establishing "face-to-face" level of assurance when a user cannot be physically present. These requirements are outlined in the Identity Verification Guideline document, which is only available to authorized employees on campus and users of the CalNet Admin Tool. Again, NEVER perform an account action, provide account information to a user, or enter a new user into a system that results in CalNet credentials before you have properly verified the user's identity!
Identity Federations
UC Berkeley is a member of two identity federations: InCommon and UCTrust. InCommon is the largest federation of higher education institutions in the United States. UCTrust is a federation for the UC system that is managed through UC Office of the President (UCOP).
In order to belong to InCommon and UCTrust federations, UC Berkeley has to comply to very high standards, including requirements for how user identity is verified, how authentication credentials are asserted, and how credentials are handled by service providers.
Identity federations consist of "identity providers" (such as CalNet) and "service providers" (such as bConnected or CalTime). Service providers trust the identity information provided by CalNet, and CalNet must trust that service providers adequately protect that information.
Shibboleth is the software used by InCommon and UCTrust to manage the communication between CalNet and service providers, including authentication requests.