The REFEDS Baseline is published at https://refeds.org/baseline-expectations
The REFEDS Baseline Expectations working group have developed a high level set of requirements in the proposed Identity Federation Baseline Expectations (IFBE). By meeting a common Baseline, federations are able to increase trust, value and scalable interoperability to the ecosystem. The working group invites all interested parties to a consultation of the proposed document.
Please note that the document Identity Federation Baseline Expectations is only a high level set of requirements. The specific organisational and technical implementation guidance to satisfy the baseline will be provided in future supporting documents.
This consultation was open from: 15:00 CET 11th December 2020 to 17:00 CET 31 January 2021. The consultation is now closed and not taking further comments.
Participants are invited:
- to consider the proposed REFEDS Identity Federation Baseline Expectations document; and
- to propose appropriate changes / challenges to the proposed document.
The PDF for the consultation is available. Background on the Baseline Expectations Working Group is available. All comments should be made on: email@example.com or added to the change log below. Comments posted to other channels will not be included in the consultation review.
Following consultation, the group reconvened to discuss the the actions and decisions on the proposals and feedback given. This resulted in a Final Draft
Following the consultation all comments will be taken back to the REFEDS Baseline Expectations working group for review and if appropriate the document will then be forwarded to the REFEDS Steering Committee for sign-off and publication on the REFEDS website as per the REFEDS participants agreement.
|Line Number / Reference||Proposed Change or Query||Proposer / Affiliation||Action / Decision (please leave blank)|
|1||25||"continual trust improvements" this phrase is not very clear to me. What is a "trust improvement"?||Hannah Short/CERN||Changed the sentence (removed the defined ‘trust’ side effect of improvements)|
|2||29||the majority of the requirements are SAML independent, is there any reason to tie this to SAML? It might be more useful for future OIDC fed efforts if it were generic||Hannah Short/CERN|
The document is protocol agnostic, we only used the terms as known in SAML for reference
|3||37/51/64||should these contacts also cover security issues as well as operational?||Hannah Short/CERN||We are not prescribing the type and purpose of contacts at this level. IFBE documents will cover that|
|4||39/53||I suppose it's intentional that Sirtfi is not mentioned? Is it intended that the "security practices" be the ones from Sirtfi? It may be worth clarifying somehow, though I appreciate the value of keeping the docs independent||Hannah Short/CERN||Same as previous - Sirtfi may be defined as one of the security practices/requirements at a lower level.|
|5||additional requirement||Proposed addition: "“Any Federation services must support the exchange / storage and processing of personal information compliant with GDPR”||Andreas Matheus, Secure Dimensions|
many jurisdictions in which R&E federations operate are not subject to GDPR (as from Nic)
|6||NA||Re: the comment on line 5 of this consultation table- many jurisdictions in which R&E federations operate are not subject to GDPR. I'd suggest something much more general such as "respect the privacy rights of individuals".||Nic Roy, InCommon||document adjusted|
|7||10||Typo of "interfederatons" for "interfederations"||Andrew Cormack/Jisc||Agreed - will adjust doc|
|8||30||Maybe clearer to explicitly add, "Those organisations are referred to as XXX Operators."||Andrew Cormack/Jisc||document adjusted|
|9||37||[IdP3] feels like "You publish contact information and respond in a timely fashion to operational issues", rather than "Your IdP must have contact information..."?||Andrew Cormack/Jisc||Agreed - will adjust doc|
[SP3] feels like "You publish contact information and respond in a timely fashion to operational issues", rather than "Your Service must have contact information..."?
|Andrew Cormack/Jisc||Agreed - will adjust doc|
|11||58||typo of "respects" for "respect".||Andrew Cormack/Jisc||Agreed - will adjust doc|
|12||58/9||"unless governed by an applicable contract" seems odd, better maybe "requirements may be set out in an applicable contract"?||Andrew Cormack/Jisc||document adjusted|
|13||62||typo "be" for "are"||Andrew Cormack/Jisc||Agreed - will adjust doc|
|14||64||[FO2] feels like "You publish contact information and respond in a timely fashion to operational issues", rather than "Your Service must have contact information..."?||Andrew Cormack/Jisc||Agreed - will adjust doc|
|15||General||Do we have an expectation on any parts of the required information to be published in English? If so should that be made explicit? While this is perhaps not a requirement on an federation level, it would sure help when wanting to compare baseline between federations as may be needed for eduGAIN now or at some later time?||Niels van Dijk / SURF||out of scope for baseline expectations document|
|16||24/75||The reference named IFBE is the document itself. Did you mean the repository for this document and supporting material? Then better name it as repository.||Thomas Lenggenhager / SWITCH||reference removed|
|17||29||Move SAML specific references to a dedicated section or appendix. That allows to later add OIDC specifics.|
In the SAML section refer to the two Kantara Federation Interoperability Profiles (Implementation and Deployment).
|Thomas Lenggenhager / SWITCH||The document is protocol agnostic, we only used the terms as known in SAML for reference|
|18||IPO6||This expectation cannot be levied upon all federation members due to technologies in use, behaviour is covered by eg IPO5 and adoption by FO5||Baseline Working group||IPO6 removed|