Home Organisations managing Identity Provider servers do not commit to the Code of Conduct for Service Providers. However, Home Organisations as data controllers of their End users may consider taking the following steps to manage the attribute release to the Service Providers and reduce their risks
- Study Code of Conduct for Service Providers and, based on the Home Organisation's local risk management procedures, decide if a Service Provider's unilateral commitment to the Code of Conduct provides the Home Organisation with sufficient guarantees for an Attribute release
- For instance, a Home Organisation may reduce its risks by releasing only non-sensitive attributes.
- Ensure that the Service Provider has committed to the Data Protection Code of Conduct for Service Providers
- see see Code of Conduct for Service Providers for details on the Code of Conduct
- see SAML 2 Profile for the Code of Conduct for details on SAML metadata indicating SP's commitment
- Tools may be available to scan the Federation metadata and identify the Service Providers which have committed to the Code of Conduct.
- Release only Attributes that are adequate, relevant and not excessive for the Service Provider
- flagged as requested in SAML metadata (see SAML 2 Profile for the Code of Conduct for details on how this is done)
- If the Service Provider requests only a particular Attribute value, release only that value and no other values
- for instance, if the Service Provider requests only eduPersonAffiliation="member", do not release eduPersonAffiliation="faculty"
- for instance, if the Service Provider requests only eduPersonEntitlement=" ", do not release eduPersonEntitlement="urn:mace:washington.edu:confocalMicroscope"
- see SAML 2 Profile for the Code of Conduct for details on SAML metadata for requesting only particular values
- use the data controller's legitimate interests as the legal grounds for attribute release
- release only attributes that are flagged as NECESSARY (see SAML 2 Profile for the Code of Conduct for details on how this is done)
- however, in certain jurisdiction (e.g. Switzerland) user consent may be needed for attribute release