This page presents guidelines related to the Code of Conduct for federation operators, home federation operators and the interfederation operator.

Federation Operators

A design goal of the Data protection Code of Conduct is to minimise the Federation Operators' legal responsibilities and liabilities. A Federation Operator should not check the legal compliance of a Service Provider that asserts commitment to the Code of Conduct. It is not a role of a Federation Operator to do it, and it may expose the Federation Operator to a risk of becoming liable for a Service Provider’s non-compliance. The Federation Operators are expected just to mediate the Entities' SAML 2.0 metadata.

Additionally, the Federation Operator is expected to make available technical tools and/or instructions that the Identity Provider administrators can use to scan, pick and validate Service Provider entries in the Federation metadata for

  • only releasing Attributes to those Service Provider that assert commitment to the Code of Conduct and
  • only releasing those Attributes that the Service Providers require and that conform to the Home Organisation's risk management practices

Home Federation Operator

An Entity's Home Federation is the Federation that has registered the Entity. In an interfederation scenario, the Home Federation is often the Federation that mediates the Entity's SAML 2.0 metadata to other Federations. The Home Federation Operator is potentially the only party that has direct relationship with an Entity. 

When registering a Service Provider's assertion of commitment to the Code of Conduct, the Home Federation operator or its delegated parties take the following steps:

  1. Ensures that the SAML 2.0 elements conform to the SAML 2 Profile for the Code of Conduct.
  2. Reminds the Service Provider to check that the Service Provider's mdui:Description and mdui:DisplayName elements are understandable and useful for common end users. 
  3. Checks that the Service Provider's Privacy Policy document is available and indicates commitment to the Code of Conduct
  4. Reminds the Service Provider to make sure that the list of requested attributes is consistent with the Privacy Policy document.

The Service Provider is responsible for the service it offers and its legal compliance with the Code of Conduct. The Service Provider is regarded as authorative about its Privacy Policy and the attributes the service requests.

Notice, that there is no obligation for the Home Federation Operator to check that the Service Provider is compliant with the Code of Conduct. However, if the Home Federation Operator is informed or it is obvious that the Service Provider is not in compliance, the Home Federation Operator can refuse to register the Service Provider’s assertion that it complies with the Code of Conduct ("bonus pater familias" principle). That is not expected to make the Home Federation Operator liable for the Service Provider’s non-compliance. 

Interfederation Operator

The eduGAIN Operations Team is responsible for regularly archiving the Service Providers' Privacy Policy documents and making them available to anyone enquiring them.

  • No labels