Versions Compared

Old Version 220

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 221

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For an example on how to consume and process this information in an Identity Provider look at the page Example of a standard attribute filter for Shibboleth IdP v3.4.0 and above. ADFS Toolkit support the use of entity categories.

REFEDS

...

Pseudonymous Access Entity Category

entity-category URI

https://refeds.org/category/personalizedpseudonymous

eduGAIN enabledYes


Info
titleDefinition

Candidates for the REFEDS Personalized the Pseudonymous Access Entity Category are Service Providers that have a proven need to receive a small set of personally identifiable information about their users in order to effectively provide their service to the user or to enable the user to signal their identity to other users within the serviceoffer a level of service based on proof of successful authentication and offer personalization based on a pseudonymous user identifier. The Service Provider must be able to effectively demonstrate this need to their federation registrar (normally the Service Provider’s home federation) and demonstrate their compliance with regulatory requirements concerning personal data through a published Privacy Notice.Please note that the 

None of the attributes in this entity category are specifically intended to provide authorization information. 

Please note that the first of the REFEDS Personalized Access Entity Category was published at the end of 2021 and therefore not so many Identity Providers has support for it yet. SWAMID recommends that you complement the REFEDS the REFEDS Personalized Access Entity Category with the entity category GÉANT category GÉANT Data Protection Code of Conduct until end of 2023 to get the expected attribute release.

The Personalized Access Pseudonymous Access Entity Category is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher the higher education institutions in Sweden and around the world. The entity The entity category makes it possible to automatically release a set of mostly harmless attributes to Service Providers registered in the academic federations.

The expected Identity Provider behaviour is to release to the Service the Service Provider a predefined set of attributes. Service Providers signals their need of Personalized of Pseudonymous Access Entity Category via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the Personalized Access the Pseudonymous Access Entity Category.

For REFEDS Personalized Access REFEDS Pseudonymous Access Entity Category there is a formal requirement that the service shall publish a public Privacy Policy. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for the requirement for mention the GÉANT Data Protection Code of Conduct.

Expected attribute release from an Identity Provider

subjectsubjectmail0.9.2342.19200300.1003displayName2.16.840.113730..1.241urn:oid:25.4.42urn:oid:1.3.11eduPersonScopedAffiliation59231.1.9urn:oid:1.3.6.1.4.1.25178.1.2.9
Attribute(s)SAML2 Attribute IdentifierComment
pairwise-idurn:oasis:names:tc:SAML:attribute:pairwise-id
eduPersonAssuranceurn:oid:1.3.6.1.4.1.5923.1.1.1.Can be more than one address released but Identity Providers are recommended to release only one.11
eduPersonScopedAffiliationurn:oid:1.3givenName.snurn:oid:2.5.4.4eduPersonAssurance6.1.4.1.5923.1.1.1.9
schacHomeOrganizationurn:oid:1.3.6.1.4.1.25178.1.schacHomeOrganization2.9

Process for applying for tagging a service with entity category

...

REFEDS Pseudonymous Access Entity Category

For a service to be tagged with REFEDS Personalized Access REFEDS Pseudonymous Access Entity Category it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator updates the service metadata in the SWAMID Metadata Tool.

...

  • Purpose and scope of the service.
  • Documentation which proves that the service has fulfilled all the requirements for REFEDS Personalized Access Entity Category if it isn't defined by purpose and scope of the service.
    • The service has a proven and documented need for the personally identifiable pseudonymous information that forms the attribute bundle for this entity category.
    • The Service Provider has committed to data minimisation and will not use the attributes for purposes other than as described in their application.

...

  • Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.
  • Display name for the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.Short description of the Service
  • URL to an informational web page that describes the service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
  • Administrative and technical contact for the service and it's recommended that support and security contact is also given.
  • Formal organisation name of the organisation delivering the service.
  • URL to the organisation delivering the service.
  • URL to an informational web page that describes the service in English and preferable also in Swedish.
  • Swedish.
  • URL to a web page URL to a web page with the service privacy policy in English and preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template.
  • At least one of the administrative and technical contact for the service and it's recommended that support and security contact is also given.

The request is highly recommended to also have the following information for The request is highly recommended to also have the following information for metadata publication:

  • URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.

Besides the formal requirements and recommendations of REFEDS Personalized REFEDS Pseudonymous Access Entity Category are Service Providers it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

...

REFEDS Personalized Access Entity Category

entity-category URI

http

https://refeds.org/category/

research-and-scholarship

personalized

eduGAIN enabledYes


Info
titleDefinition

Candidates for the Research and Scholarship (R&S) Personalized Entity Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part. For more information please see REFEDS Entity Category Research and Scholarship.

R&S is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around the world. The R&S makes it possible to automatically release mostly harmless attributes to Service Providers within the higher educational sector.

The expected IdP behaviour is to release to the Service Provider a predefined set of R&S Category Attributes. Service Providers signals their need of R&S via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the R&S entity category and this can be used for filter purpose in a discovery service.

Example of services that uses the entity category includes (but are not limited to) collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. This Entity Category should not be used for access to licensed content such as e-journals.

have a proven need to receive a small set of personally identifiable information about their users in order to effectively provide their service to the user or to enable the user to signal their identity to other users within the service.  The Service Provider must be able to effectively demonstrate this need to their federation registrar (normally the Service Provider’s home federation) and demonstrate their compliance with regulatory requirements concerning personal data through a published Privacy Notice.

None of the attributes in this entity category are specifically intended to provide authorization information. 

Please note that the first of the REFEDS Personalized Access Entity Category was published at the end of 2021 and therefore not so many Identity Providers has support for it yet. SWAMID recommends that you complement the REFEDS Personalized Access Entity Category with the entity category GÉANT Data Protection Code of Conduct until end of 2023 to get the expected attribute release.

The Personalized Access Entity Category is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around the world. The entity category makes it possible to automatically release a set of mostly harmless attributes to Service Providers registered in the academic federations.

The expected Identity Provider behaviour is to release to the Service Provider a predefined set of attributes. Service Providers signals their need of Personalized Access Entity Category via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the Personalized Access Entity Category.

For REFEDS Personalized Access Entity Category there is a formal requirement that the service shall publish a public Privacy Policy. For REFEDS Research and Scholarship there is no formal requirement that the service shall publish a public Privacy Policy. However all services that are registered in SWAMID must have a Privacy Policy to inform end users about how personal data are processed. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for the requirement for mention the GÉANT Data Protection Code of Conduct.

Expected attribute release from an Identity Provider

Attribute(s)SAML2 Attribute IdentifierComment
eduPersonTargetedID
subject-idurn:oasis:names:
oid:1.3.6.1.4.1.5923.1.1.1.10

Should only be released by the Identity Provider if eduPersonPrincipalName is re-assignable to another user.

eduPersonPrincipalNameurn:oid:1.3.6.1.4.1.5923.1.1.1.6
tc:SAML:attribute:subject-id
mailurn:oid:0.9.2342.19200300.100.1.3Can be more than one address released but Identity Providers are recommended to release only one.
displayName
and/or givenName and sn

urn:oid:2.16.840.1.113730.3.1.241


givenNameurn:oid:2.5.4.42
snurn:oid:2.5.4.4
A user's name can be released in different ways and it's expected that the Service Provider can handle this.

eduPersonAssuranceurn:oid:1.3.6.1.4.1.5923.1.1.1.11
Local addon within SWAMID. Services shall only expect this attribute to be available from Identity Providers within SWAMID.

eduPersonScopedAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.9

Process for applying for tagging a service with entity category REFEDS Research and Scholarship


schacHomeOrganizationurn:oid:1.3.6.1.4.1.25178.1.2.9

Process for applying for tagging a service with entity category REFEDS Personalized Access Entity Category

For a service to be tagged with REFEDS Personalized Access Entity Category For a service to be tagged with REFEDS Research and Scholarship (R&S) it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeks.updates the service metadata in the SWAMID Metadata Tool.

The request must besides the metadata update contain the following administrative information:

  • Purpose and scope of the service.
  • Documentation which proves that the service has fulfilled all the requirements for R&S for REFEDS Personalized Access Entity Category if it isn's not t defined by purpose and scope of the service.

      Unless the following is already published in current service metadata, the metadata update request must contain:

        • The service has a proven and documented need for the personally identifiable information that forms the attribute bundle for this entity category.
        • The Service Provider has committed to data minimisation and will not use the attributes for purposes other than as described in their application.

      The entity category has the following metadata requirements:

      • Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.
      • Display name for the Service in English and
      • Well functional SAML2 metadata for the service with an entityid in URL-form.
      • Display name for the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.Short description of the Service
      • URL to an informational web page that describes the service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
      • Administrative and technical contact for the service and it's recommended that support and security contact is also given.
      • Formal organisation name of the organisation delivering the service.
      • URL to the organisation delivering the service.
      • URL to an informational web page that describes the service in English and preferable also in Swedish.
      • Swedish.
      • URL to URL to a web page with the service privacy policy in English and preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template.
      • At least one of the administrative and technical contact for the service and it's recommended that support and security contact is also given.

      The request is The request is highly recommended to also have the following information for metadata publication:

      ...

      Besides the formal requirements and recommendations of REFEDS R&S REFEDS Personalized Access Entity Category are Service Providers it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

      ...

      REFEDS Research and Scholarship

      entity-category URI

      httpshttp://refeds.org/category/coderesearch-of-conduct/v2 and
      http://www.geant.net/uri/dataprotection-code-of-conduct/v1

      eduGAIN enabledYes

      and-scholarship

      eduGAIN enabledYes


      Info
      titleDefinition

      Candidates for the Research and Scholarship (R&S) Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part

      Info
      titleDefinition

      The REFEDS Data protection Code of Conduct (CoCo v2) defines an approach at a European level to meet the requirements of the European General Data Protection Regulation (GDPR) for releasing mostly harmless personal attributes to a Service Provider (SP) from an Identity Provider (IdP). For more information please see REFEDS Data Protection Code of Conduct.

      The earlier GÉANT Data protection Code of Conduct (CoCo v1) defines an approach at a European level to meet the requirements of the European Union Data Protection Directive. The Data Protection Directive has been superseeded by GDPR and therefore GDPR must be taken into account for CoCo v1. CoCo v1 is in the same spirit as GDPR, i.e. the Charter of Fundamental Rights of the European Union. For more information please see GEANT Data Protection Code of Conduct.

      CoCo v1 will exist in parallell with CoCo v2 for an extended time and therefore we recommend all services that uses CoCo v2 to also declare CoCo v1 and the other way around.

      CoCo is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around Europe. The CoCo makes it possible to automatically release mostly harmless attributes to Service Providers which fulfil the EU Data Protection legislation. The expected Identity Provider behaviour is to release the Service Provider required attributes if the IdP is able to. Required attributes means attributes the service must have to be able to work for the user. However it's possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes. The required attributes for a specific service is defined in the the service metadata and must be described in the mandatory Service Provider Privacy Policy. There is furthermore an identity provider entity support category that should be registered for all Identity Provider that supports the CoCo entity category that can be used for filter purpose in a discovery service.

      Expected attribute availability from an Identity Provider for attributes required by indication in metadata

      Entity Category Research and Scholarship.

      R&S is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around the world. The R&S makes it possible to automatically release mostly harmless attributes to Service Providers within the higher educational sector.

      The expected IdP behaviour is to release to the Service Provider a predefined set of R&S Category Attributes. Service Providers signals their need of R&S via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the R&S entity category and this can be used for filter purpose in a discovery service.

      Example of services that uses the entity category includes (but are not limited to) collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. This Entity Category should not be used for access to licensed content such as e-journals.

      For REFEDS Research and Scholarship there is no formal requirement that the service shall publish a public Privacy Policy. However all services that are registered in SWAMID must have a Privacy Policy to inform end users about how personal data are processed. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for mention the GÉANT Data Protection Code of Conduct.

      Expected attribute release from an Identity Provider

      Attribute(s)SAML2 Attribute IdentifierCommenteduPersonTargetedID
      Attribute(s)SAML2 Attribute IdentifierComment
      eduPersonTargetedIDurn:oid:1.3.6.1.4.1.5923.1.1.1.10

      Should only be released by the Identity Provider if eduPersonPrincipalName is re-assignable to another user.

      eduPersonPrincipalName
      urn:oid:1.3.6.1.4.1.5923.1.1.1.
      10
      6
      eduPersonPrincipalName

      mailurn:oid:
      1
      0.
      3
      9.
      6
      2342.
      1
      19200300.
      4
      100.1.
      5923.1.1.1.6eduPersonOrcid
      3Can be more than one address released but Identity Providers are recommended to release only one.
      displayName and/or givenName and sn

      urn:oid:

      1

      2.

      3

      16.

      6

      840.1.

      4

      113730.

      1

      3.

      5923.

      1.

      1.1.16norEduPersonNIN

      241
      urn:oid:

      1.3.6.1

      2.5.4.

      1.2428.90.1.5

      This attribute is for students systems that needs to be synchronised with the the student documentations system directly or indirectly. Within SWAMID norEduPersonNIN can besides Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system.

      SWAMID Identity Providers only release this attribute to services registered in SWAMID.

      42
      urn:oid:2.5.4.4

      		A user's name can be released in different ways and it's expected that the Service Provider can handle this.
      eduPersonAssurance
      personalIdentityNumber
      urn:oid:1.
      2
      3.
      752
      6.
      29
      1.4
      .13

      Within SWAMID personalIdentityNumber only contain Swedish Personal Numbers or Swedish Co-ordination Numbers.

      SWAMID Identity Providers only release this attribute to services registered in SWAMID.

      schacDateOfBirth
      .1.5923.1.1.1.11Local addon within SWAMID. Services shall only expect this attribute to be available from Identity Providers within SWAMID.
      eduPersonScopedAffiliationurn:oid:1.3.6.1.4.1.
      25178
      5923.1.1.1.9

      Process for applying for tagging a service with entity category REFEDS Research and Scholarship

      For a service to be tagged with REFEDS Research and Scholarship (R&S) it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeks.

      The request must besides the metadata update contain the following administrative information:

      • Purpose and scope of the service.
      • Documentation which proves that the service has fulfilled all the requirements for R&S if it's not defined by purpose and scope of the service:
        • The service enhances the research and scholarship activities of some subset of the user community.
        • The Service Provider is a production SAML deployment that supports SAML V2.0 HTTP-POST binding.
        • The Service Provider claims to refresh federation metadata at least daily.

      Unless the following is already published in current service metadata, the metadata update request must contain:

      • Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.
      • Display name for the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
      • Technical contact for the service and it's recommended that administrative, support and security contact is also given.
      • URL to an informational web page that describes the service in English and preferable also in Swedish.
      • URL to a web page with the service privacy policy in English and preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template (specific for SWAMID).
      • The Service Provider is a production SAML deployment that supports SAML V2.0 HTTP-POST binding.

      The request is highly recommended to also have the following information for metadata publication:

      • URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.

      Besides the formal requirements and recommendations of REFEDS R&S it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

      REFEDS/GÉANT Data Protection Code of Conduct

      entity-category URI

      https://refeds.org/category/code-of-conduct/v2 and
      http://www.geant.net/uri/dataprotection-code-of-conduct/v1

      eduGAIN enabledYes


      Info
      titleDefinition

      The REFEDS Data protection Code of Conduct (CoCo v2) defines an approach at a European level to meet the requirements of the European General Data Protection Regulation (GDPR) for releasing mostly harmless personal attributes to a Service Provider (SP) from an Identity Provider (IdP). For more information please see REFEDS Data Protection Code of Conduct.

      The earlier GÉANT Data protection Code of Conduct (CoCo v1) defines an approach at a European level to meet the requirements of the European Union Data Protection Directive. The Data Protection Directive has been superseeded by GDPR and therefore GDPR must be taken into account for CoCo v1. CoCo v1 is in the same spirit as GDPR, i.e. the Charter of Fundamental Rights of the European Union. For more information please see GEANT Data Protection Code of Conduct.

      CoCo v1 will exist in parallell with CoCo v2 for an extended time and therefore we recommend all services that uses CoCo v2 to also declare CoCo v1 and the other way around.

      CoCo is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around Europe. The CoCo makes it possible to automatically release mostly harmless attributes to Service Providers which fulfil the EU Data Protection legislation. The expected Identity Provider behaviour is to release the Service Provider required attributes if the IdP is able to. Required attributes means attributes the service must have to be able to work for the user. However it's possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes. The required attributes for a specific service is defined in the the service metadata and must be described in the mandatory Service Provider Privacy Policy. There is furthermore an identity provider entity support category that should be registered for all Identity Provider that supports the CoCo entity category that can be used for filter purpose in a discovery service.

      Expected attribute availability from an Identity Provider for attributes required by indication in metadata

      2.3Can be
      Attribute(s)SAML2 Attribute IdentifierComment
      pairwise-idurn:oasis:names:tc:SAML:attribute:pairwise-id
      eduPersonTargetedIDurn:oid:1.3.6.1.4.1.5923.1.1.1.10

      This attribute is deprecated!

      subject-idurn:oasis:names:tc:SAML:attribute:subject-id
      eduPersonPrincipalNameurn:oid:1.3.6.1.4.1.5923.1.1.1.6
      eduPersonOrcidurn:oid:1.3.6.1.4.1.5923.1.1.1.16
      norEduPersonNINurn:oid:1.3.6.1.4.1.2428.90.1.5

      This attribute is for students systems that needs to be synchronised with the the student documentations system directly or indirectly. Within SWAMID norEduPersonNIN can besides Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system.

      SWAMID Identity Providers only release this attribute to services registered in SWAMID.

      personalIdentityNumberurn:oid:1.2.752.29.4.13

      Within SWAMID personalIdentityNumber only contain Swedish Personal Numbers or Swedish Co-ordination Numbers.

      SWAMID Identity Providers only release this attribute to services registered in SWAMID.

      schacDateOfBirthurn:oid:1.3.6.1.4.1.25178.1.2.3
      mailurn:oid:0.9.2342.19200300.100.1.3Can be mailurn:oid:0.9.2342.19200300.100.1.3 more than one address released but Identity Providers are recommended to release only one.
      displayName

      urn:oid:2.16.840.1.113730.3.1.241


      givenNameurn:oid:2.5.4.42
      sn (aka surname)urn:oid:2.5.4.4
      cn (aka commonName)urn:oid:2.5.4.3Due to that cn is use for different things in different in different identity management systems it's highly recommended to use the attribute displayName instead.
      eduPersonAssuranceurn:oid:1.3.6.1.4.1.5923.1.1.1.11Services shall only expect this attribute to be available from Identity Providers within SWAMID.
      eduPersonScopedAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.9
      eduPersonAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.1Due to eduPersonAffiliations non domain scoped nature it's highly recommended to use the attribute eduPersonScopedAffiliation instead.
      o (aka organizationName)urn:oid:2.5.4.10This attribute is also be available as an metadata attribute.
      norEduOrgAcronymurn:oid:1.3.6.1.4.1.2428.90.1.6
      c (aka countryName)urn:oid:2.5.4.6
      co (aka friendlyCountryName)urn:oid:0.9.2342.19200300.100.1.43urn:oid:0.9.2342.19200300.100.1.43schacHomeOrganizationurn:oid:1.3.6.1.4.1.25178.1.2.9schacHomeOrganizationTypeurn:oid:1.3.6.1.4.1.25178.1.2.10

      Multivalued attributes that have different values for different services shall not be requested via metadata, examples of such attributes are eduPersonEntitlement, norEduPersonLIN and schacPersonalUniqueCode. The reason for this is that an Identity Provider may unintensional release sensitive information to services that are not eligable for these values. SWAMID recommends member Identity Providers to not release this type of attributes based on reqeusted attributes in metadata.

      Process for applying for tagging a service with entity category GÉANT Data Protection Code of Conduct

      For a service to be tagged with GÉANT Data Protection Code of Conduct it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeks.

      The request must besides the metadata update contain the following administrative information:


      schacHomeOrganizationurn:oid:1.3.6.1.4.1.25178.1.2.9
      schacHomeOrganizationTypeurn:oid:1.3.6.1.4.1.25178.1.2.10


      Multivalued attributes that have different values for different services shall not be requested via metadata, examples of such attributes are eduPersonEntitlement, norEduPersonLIN and schacPersonalUniqueCode. The reason for this is that an Identity Provider may unintensional release sensitive information to services that are not eligable for these values. SWAMID recommends member Identity Providers to not release this type of attributes based on reqeusted attributes in metadata.

      Process for applying for tagging a service with entity category REFEDS/GÉANT Data Protection Code of Conduct

      For a service to be tagged with GÉANT Data Protection Code of Conduct it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeks.

      The request must besides the metadata update contain the following administrative information:

      • Purpose and scope of the service.
      • Documentation which proves that the service has fulfilled all the requirements for CoCo and lawfullness of processing as described in GDPR if it's not defined by purpose and scope of the service:
        • the grounds under which the Service Provider supports transfer of data as either:
          • Operating in a country within the European Union or European Economic Area or a country, territory, sector or international Organisation with an adequacy decision pursuant to GDPR Article 45, and
          • Using appropriate safeguards pursuant to GDPR Article 46 and committed to only receiving data from organisations where safeguards have been agreed.
        • that the service has committed to theREFEDS/GÉANT Data Protection Code of Conduct,
        • that it informs the Registrar about any material changes that may influence their ability to commit to the REFEDS/GÉANTData Protection Code of Conduct
        Purpose and scope of the service.
      • A list of the required attributes that the service needs to function (the list is also required in the privacy policy of the service). It is possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes.Documentation which proves that the service has fulfilled all the requirements for CoCo and lawfullness of processing as described in GDPR Article 6 if it's not defined by purpose and scope of the service, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes.

      Unless the following is already published in current service metadata, the metadata update request must contain:

      • Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.
      • Display name for the Service in English English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
      • Short description of the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
      • A list of required attributes of the Service.
      • Administrative and technical contact for the service and it's recommended that technical, support and security contact is also given.
      • Formal organisation name of the organisation delivering the service.
      • URL to the organisation delivering the service.
      • URL to an informational web page that describes the service in English and preferable also in Swedish.
      • URL to a publicly accessible web page (not a pdf document) with the service privacy policy in English and preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. The privacy policy must at least contain:
        • the name, address and jurisdiction of the Service Provider;
        • the purpose or purposes of the processing of the Attributes;
        • a description of the Attributes being processed;
        • the third party recipients or categories of third party recipient to whom he Attributes might be disclosed, and proposed transfers of Attributes to countries outside of the European Economic Area;
        • the existence of the rights to access, rectify and delete the Attributes held about the End User;
        • the retention period of the Attributes; and
        • a reference to this Code of Conduct including the formal reference URL http://www.geant.net/uri/dataprotection-code-of-conduct/v1.

      ...