This page presents guidelines related to the Code of Conduct for federation operators, home federation operators and the interfederation operator.
A design goal of the Data protection Code of Conduct is to minimise the Federation Operators' legal responsibilities and liabilities. A Federation Operator should not check the legal compliance of a Service Provider that asserts commitment to the Code of Conduct. It is not a role of a Federation Operator to do it, and it may expose the Federation Operator to a risk of becoming liable for a Service Provider’s non-compliance. The Federation Operators are expected just to mediate the Entities' SAML 2.0 metadata.
Additionally, the Federation Operator is expected to make available technical tools and/or instructions that the Identity Provider administrators can use to scan, pick and validate Service Provider entries in the Federation metadata for
An Entity's Home Federation is the Federation that has registered the Entity. In an interfederation scenario, the Home Federation is often the Federation that mediates the Entity's SAML 2.0 metadata to other Federations. The Home Federation Operator is potentially the only party that has direct relationship with an Entity.
When registering a Service Provider's assertion of commitment to the Code of Conduct, the Home Federation operator or its delegated parties take the following steps:
mdui:DisplayNameelements are understandable and useful for common end users.
Notice, that there is no obligation for the Home Federation Operator to check that the Service Provider is compliant with the Code of Conduct. However, if the Home Federation Operator is informed or it is obvious that the Service Provider is not in compliance, the Home Federation Operator can refuse to register the Service Provider’s assertion that it complies with the Code of Conduct ("bonus pater familias" principle). That is not expected to make the Home Federation Operator liable for the Service Provider’s non-compliance.