The REFEDS Baseline is published at https://refeds.org/baseline-expectations

This consultation is now closed.

Background

The REFEDS Baseline Expectations working group have developed a high level set of requirements in the proposed Identity Federation Baseline Expectations (IFBE). By meeting a common Baseline, federations are able to increase trust, value and scalable  interoperability to the ecosystem. The working group invites all interested parties to a consultation of the proposed document.

Please note that the document Identity Federation Baseline Expectations is only a high level set of requirements. The specific organisational and technical implementation guidance to satisfy the baseline will be provided in future supporting documents.

Overview

This consultation was open from:  15:00 CET 11th December 2020 to  17:00 CET 31 January 2021. The consultation is now closed and not taking further comments.

Participants are invited:

  • to consider the proposed REFEDS Identity Federation Baseline Expectations document; and
  • to propose appropriate changes / challenges to the proposed document.

The PDF for the consultation is available.  Background on the Baseline Expectations Working Group is available. All comments should be made on: consultations@lists.refeds.org or added to the change log below. Comments posted to other channels will not be included in the consultation review.


Following consultation, the group reconvened to discuss the the actions and decisions on the proposals and feedback given. This resulted in a Final Draft

Following the consultation all comments will be taken back to the REFEDS Baseline Expectations working group for review and if appropriate the document will then be forwarded to the REFEDS Steering Committee for sign-off and publication on the REFEDS website as per the REFEDS participants agreement.

Change Log


Line Number / ReferenceProposed Change or QueryProposer / AffiliationAction / Decision (please leave blank)
125"continual trust improvements" this phrase is not very clear to me. What is a "trust improvement"?Hannah Short/CERNChanged the sentence (removed the defined ‘trust’ side effect of improvements)
229the majority of the requirements are SAML independent, is there any reason to tie this to SAML? It might be more useful for future OIDC fed efforts if it were genericHannah Short/CERN

The document is protocol agnostic, we only used the terms as known in SAML for reference

337/51/64should these contacts also cover security issues as well as operational?Hannah Short/CERNWe are not prescribing the type and purpose of contacts at this level. IFBE documents will cover that
439/53I suppose it's intentional that Sirtfi is not mentioned? Is it intended that the "security practices" be the ones from Sirtfi? It may be worth clarifying somehow, though I appreciate the value of keeping the docs independentHannah Short/CERNSame as previous - Sirtfi may be defined as one of the security practices/requirements at a lower level.
5additional requirementProposed addition: "Any Federation services must support the exchange / storage and processing of personal information compliant with GDPR”Andreas Matheus, Secure Dimensions

many jurisdictions in which R&E federations operate are not subject to GDPR (as from Nic)

6NARe: the comment on line 5 of this consultation table- many jurisdictions in which R&E federations operate are not subject to GDPR. I'd suggest something much more general such as "respect the privacy rights of individuals".Nic Roy, InCommondocument adjusted
710Typo of "interfederatons" for "interfederations"Andrew Cormack/JiscAgreed - will adjust doc
830Maybe clearer to explicitly add, "Those organisations are referred to as XXX Operators."Andrew Cormack/Jiscdocument adjusted
937[IdP3] feels like "You publish contact information and respond in a timely fashion to operational issues", rather than "Your IdP must have contact information..."?Andrew Cormack/JiscAgreed - will adjust doc
1051

[SP3] feels like "You publish contact information and respond in a timely fashion to operational issues", rather than "Your Service must have contact information..."?

Andrew Cormack/JiscAgreed - will adjust doc
1158typo of "respects" for "respect".Andrew Cormack/JiscAgreed - will adjust doc
1258/9"unless governed by an applicable contract" seems odd, better maybe "requirements may be set out in an applicable contract"?Andrew Cormack/Jiscdocument adjusted
1362typo "be" for "are"Andrew Cormack/JiscAgreed - will adjust doc
1464[FO2] feels like "You publish contact information and respond in a timely fashion to operational issues", rather than "Your Service must have contact information..."?Andrew Cormack/JiscAgreed - will adjust doc
15GeneralDo we have an expectation on any parts of the required information to be published in English?  If so should that be made explicit? While this is perhaps not  a requirement on an federation level, it would sure help when wanting to compare baseline between federations as may be needed for eduGAIN now or at some later time?Niels van Dijk / SURFout of scope for baseline expectations document
1624/75The reference named IFBE is the document itself. Did you mean the repository for this document and supporting material? Then better name it as repository.Thomas Lenggenhager / SWITCHreference removed
1729Move SAML specific references to a dedicated section or appendix. That allows to later add OIDC specifics.
In the SAML section refer to the two Kantara Federation Interoperability Profiles (Implementation and Deployment).
Thomas Lenggenhager / SWITCHThe document is protocol agnostic, we only used the terms as known in SAML for reference
18IPO6This expectation cannot be levied upon all federation members due to technologies in use, behaviour is covered by eg IPO5 and adoption by FO5Baseline Working groupIPO6 removed
  • No labels