This is currently a proposed draft and is not in use with Federation Operators at this time.
Assessing Service Providers for R&S Compliance
The following requirements are proposed as a minimal expectation for a Federation Operator to be asserting R&S for Service Providers within their federation. It is important when using Legitimate Interests as a reason for processing data that organisations are able to demonstrate that that conducted an assessment, documented this assessment and given transparency and visibility to that assessment (see guidance from Article 29 WP).
| Requirement | Implementation | |
|---|---|---|
| 1. | The Federation Operator actively declares support for R&S | Declare support by email to contact@refeds.org. This will be re-verified as part of the REFEDS annual audit. |
| 2. | Maintain a detailed description of the federation's administrative process for tagging a Service Provider with R&S | Host a wiki or web page with information for SPs. |
| 3. | Have a clear assessment process for Service Providers | Consider using the following checks:
|
| 4. | Have a Process for reviewing use of R&S | Have measures in place to review R&S where you are the Registration Authority. This may be in line with the annual REFEDS review of R&S. |
| 5. | Have a Process for removing R&S from a Service Provider | Have a simple process that allows for the removal of R&S if an entity no longer meets the requirements, cannot demonstrate compliance or no longer wishes to support R&S. |
Technical Details
The following technical information may be useful.
The R&S entity attribute for SPs
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<!-- the RandS entity attribute for SPs -->
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://macedir.org/entity-category">
<!-- the REFEDS RandS entity attribute value -->
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
The R&S "support" entity attribute for IdPs
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<!-- the RandS entity attribute for IdPs -->
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://macedir.org/entity-category-support">
<!-- the REFEDS RandS entity attribute value -->
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
A Shib IdP V3 configuration that releases attributes to ALL R&S SPs
<afp:AttributeFilterPolicy id="releaseToRandSSPs">
<afp:PolicyRequirementRule xsi:type="saml:EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- attribute rules here -->
</afp:AttributeFilterPolicy>
For brevity, the <afp:AttributeRule> elements have been omitted from the previous configuration element. For details, visit the R&S IdP Config wiki topic.
Resources
- REFEDS Research & Scholarship Entity Category specification http://refeds.org/category/research-and-scholarship
- Shibboleth IdP V3
- EntityAttributeExactMatch Configuration https://wiki.shibboleth.net/confluence/x/OAEnAQ
- RegistrationAuthority Configuration https://wiki.shibboleth.net/confluence/x/TAEnAQ
- Shibboleth IdP V2
- AttributeRequesterEntityAttributeExactMatch Configuration https://wiki.shibboleth.net/confluence/x/vYBX
- Shibboleth IdP V2 mdrpi-match-idp-ext https://github.com/ukf/mdrpi-match-idp-ext