Child pages
  • Requirements for Federations Operators Assessing R&S
Skip to end of metadata
Go to start of metadata

This is currently a proposed draft and is not in use with Federation Operators at this time. 

Assessing Service Providers for R&S Compliance

The following requirements are proposed as a minimal expectation for a Federation Operator to be asserting R&S for Service Providers within their federation.   It is important when using Legitimate Interests as a reason for processing data that organisations are able to demonstrate that that conducted an assessment, documented this assessment and given transparency and visibility to that assessment (see guidance from Article 29 WP).


RequirementImplementation
1.The Federation Operator actively declares support for R&SDeclare support by email to contact@refeds.org.  This will be re-verified as part of the REFEDS annual audit.
2.Maintain a detailed description of the federation's administrative process for tagging a Service Provider with R&SHost a wiki or web page with information for SPs. 
 3.Have a clear assessment process for Service Providers

Consider using the following checks:

  • Can the SP demonstrate a reasonable need to use the full R&S bundle?
  • Is there a relevant and appropriate relationship between the data subject and the Service Provider?
  • Would there be a reasonable expectation on the part of the data subject that personal data will be released?
  • Does the Service Provider demonstrate appropriate safe-guards / effective behaviour regarding data protection (e.g. do they have a privacy notice? do they use a code of conduct etc?)
  • Does the entity meet the registration criteria in Section 4 of the specification?
4.Have a Process for reviewing use of R&SHave measures in place to review R&S where you are the Registration Authority.  This may be in line with the annual REFEDS review of R&S.
5.Have a Process for removing R&S from a Service ProviderHave a simple process that allows for the removal of R&S if an entity no longer meets the requirements, cannot demonstrate compliance or no longer wishes to support R&S.

Technical Details

The following technical information may be useful.

The R&S entity attribute for SPs
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- the RandS entity attribute for SPs -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category">
    <!-- the REFEDS RandS entity attribute value -->
    <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>
The R&S "support" entity attribute for IdPs
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- the RandS entity attribute for IdPs -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category-support">
    <!-- the REFEDS RandS entity attribute value -->
    <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>
A Shib IdP V3 configuration that releases attributes to ALL R&S SPs
<afp:AttributeFilterPolicy id="releaseToRandSSPs">

  <afp:PolicyRequirementRule xsi:type="saml:EntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>

  <!-- attribute rules here -->

</afp:AttributeFilterPolicy>

For brevity, the <afp:AttributeRule> elements have been omitted from the previous configuration element. For details, visit the R&S IdP Config wiki topic.

Resources

  1. REFEDS Research & Scholarship Entity Category specification http://refeds.org/category/research-and-scholarship
  2. Shibboleth IdP V3
    1. EntityAttributeExactMatch Configuration https://wiki.shibboleth.net/confluence/x/OAEnAQ
    2. RegistrationAuthority Configuration https://wiki.shibboleth.net/confluence/x/TAEnAQ
  3. Shibboleth IdP V2
    1. AttributeRequesterEntityAttributeExactMatch Configuration https://wiki.shibboleth.net/confluence/x/vYBX
  4. Shibboleth IdP V2 mdrpi-match-idp-ext https://github.com/ukf/mdrpi-match-idp-ext
  • No labels