The Data protection Code of Conduct (CoCo) enables safe attribute release between Identity and Service Providers within EU.

The following steps explain how to support the Code Of Conduct for a Service Provider.

  1. Read and understand the GEANT Data protection Code of Conduct for SPs:
  2. SP’s jurisdiction:
    • Is the SP established in EU/EEA, or in a country/jurisdiction with adequate data protection (the EC white-list)?
    • The GEANT Data protection Code of Conduct for SPs in EU/EEA is only applicable for those SPs
  3. Find out if the organization that is responsible for the SP feels comfortable to commit to the GEANT data protection Code of Conduct for SPs:
    • As an SP administrator, you may need to ask someone above you in your organization
    • Remember: In many cases there is nothing to worry about because in EU/EEA countries, many of the CoCo requirements are already mandated by the data protection laws
  4. Develop a list of attributes that are necessary for enabling  access to the service:
  5. Provide a name and description for the service:
    • There must be at least an English name and description
    • Choose names that are meaningful  for the end user who might not be familiar yet with the service
    • Good example:
      • Name: University of Tübingen's Weblicht tool for linguistics research
      • Description: WebLicht is a chaining tool for linguistics research. It provides an execution environment for automatic annotation of text corpora.
    • Bad example:
      • Name: Finna
      • Description: Public Interface Finna.
  6. Develop and publish a Privacy policy document:
  7. Ensure that the Service Provider is registered in your federation/eduGAIN with the following SAML2 metadata elements:
    • Entity Category attribute for the Code of Conduct
    • mdui:PrivacyStatementURL
    • list of md:RequestedAttributes 
    • mdui:Displayname (recommended) 
    • mdui:Description (recommended) 
    • For details of these elements, see SAML 2.0 profile for the Code of Conduct
    • How these elements are registered depends on your local federation
    • Find below an example of how the metadata looks like for a Service Provider that supports the GEANT Code Of Conduct.
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="">
    <EntityAttributes xmlns="urn:oasis:names:tc:SAML:metadata:attribute">
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
      <UIInfo xmlns="urn:oasis:names:tc:SAML:metadata:ui">
        <!-- At minimum an English display name and a description -->
        <DisplayName xml:lang="fi">FileSender</DisplayName>
        <DisplayName xml:lang="en">FileSender</DisplayName>
        <Description xml:lang="fi">FileSender tarjoaa helpon tavan jakaa suuria tiedostoja.</Description>
        <Description xml:lang="en">FileSender offers an easy way to share large files with anyone.</Description>
        <!-- This URL must contain a privacy statement that must include a link to the GEANT Code of Conduct ( -->
        <PrivacyStatementURL xml:lang="fi"></PrivacyStatementURL>
        <PrivacyStatementURL xml:lang="en"></PrivacyStatementURL>
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="1"/>
  • No labels