Versions Compared

Old Version 4

changes.mady.by.user Davide Vaghetti

Saved on

compared with

New Version Current

changes.mady.by.user Davide Vaghetti

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

First Draft of the requirements

...

Entity category checks

Entity Category Attribute value: - https://refeds.org/category/code-of-conduct/v2
 Metadata Requirements for Service Providers:

 - mdui:PrivacyStatementURL: PRESENT, MUST be reachable without any authN.
 - mdui:DisplayName: PRESENT
 - mdui:Description: PRESENT and RECOMMENDED "no longer than 140 characters"
 - for all mdui elements there MUST be at least an English value with the  `xml:lang="en"` attribute.
 - Sirtfi:
  - Entity Attribute value:
   - "" 
  - Security Contact:
   - ""

Notes from CoCo-v2-BPs

p. 12 Data Minimisation

"In the context of this Code of Conduct, under no circumstances is a Service
Provider Organisation authorised to request End User’s Attribute
revealing racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade-union membership, genetic data, biometric data for the
purposes of uniquely identifying a natural person or data concerning health
or sex life or sexual orientation." 
Q: Which means that a service provider cannot run an application that collect health data of patients? 
A: No it means that for the health data collection to take place there need to be in place a specific agreement between the Home Organisation and the SP. Such agreement will take precedence and override the CoCo.

...

5.1 mdui Requirements

5.1.1. SPs MUST provide at least one mdui:PrivacyStatementURL value. The PrivacyStatementURL MUST resolve to a Privacy Notice which is available to browser users without requiring authentication of any kind.

CHECK:

  • assess that metadata contains at least mdui:PrivacyStatementURL with xml:lang=”en” value.
  • assess HTTP Status code 200 on the value of mdui:PrivacyStatementURL with xml:lang=”en” value.

5.1.2 SPs MUSTs provide at least one mdui:DisplayName value.

CHECK:

  • assess that metadata contains at least one mdui:DisplayName with xml:lang=”en” value and that it is not empty.

5.1.3 SPs MUST provide at least one mdui:Description value. It is RECOMMENDED that the length of the description is no longer than 140 characters.

CHECK:

  • assess that metadata contains at least one mdui:Description with xml:lang=”en” value..
  • assess that mdui:Description with xml:lang=”en” value is less than 140 characters:
    • issue a warning if it is more than  140 characters.

5.1.4 For all mdui elements, at least an English version of the element MUST be available, indicated by an xml:lang=”en” attribute.

CHECK:

  • see above checks.

5.2 Attribute Requirements

5.2.1. If the SP is using SAML Subject Identifier Attribute Profile for identifier attribute release, it MUST provide subject-id:req entity attribute extension to indicate which one of the identifiers pairwise-id or subject-id is necessary.

CHECK:

  • assess that metadata contains the element saml:Attribute Name as:

<saml:Attribute Name="urn:oasis:names:tc:SAML:profiles:subject-id:req"saml:Attribute Name="urn:oasis:names:tc:SAML:profiles:subject-id:req">

with value:

          <saml:AttributeValue>pairwise-id</saml:AttributeValue>

or:

          <saml:AttributeValue>subject-id</saml:AttributeValue>


5.2.2. If the SP is requesting other attributes than the identifiers above, it MUST provide RequestedAttribute elements describing the attributes relevant for the SP. The RequestedAttribute elements MUST include the optional isRequired=”true” to indicate that the attribute is necessary.

CHECK:

  • assess that if RequestedAttribute elements are present they also contain the attribute isRequired=”true”

6.   Deployment Guidance for Service Providers


SPs to be checked for compliance have the following EntityAttribute:

<EntityAttributes xmlns="urn:oasis:names:tc:SAML:metadata:attribute">
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="https://macedir.org/entity-category">
<AttributeValue>https://refeds.org/category/code-of-conduct/v2</AttributeValue>
</Attribute>
</EntityAttributes>


Additional checks

SIRTFI Check

REFEDS Data Protection Code of Conduct: https://refeds.org/wp-content/uploads/2022/05/REFEDS-CoCo-Best-Practicev2.pdf


G. Security Measures

The Service Provider Organisation warrants taking appropriate technical

and organisational measures to safeguard Attributes against accidental or

unlawful destruction or accidental loss, alteration, unauthorised disclosure

or access. These measures shall ensure a level of security appropriate to

the risks represented by the processing and the nature of the data to be

protected, having regard to the state of the art and the cost of their

implementation.

"The Service Provider Organisation commits to provide to the Home
Organisation or its Agent at least the following information:
a. a machine-readable link to the Privacy Notice;"

Requirement: verify that the link is available in the metadata and reachable by an HTTP User-Agent.

G. Security Measures

"The Service Provider Organisation shall implement the security

measures described in the Security Incident Response Trust Framework for

Federated Identity (Sirtfi) and signal it to the Identity Provider."

H. Security Breaches

if the Service Provider Organisation suspects that one or more user accounts in the Home Organisation has been compromised, the Service Provider Organisation contacting the Home
Organisation enables the Home Organisation to take measures to limit any further damage (such as, suspend the compromised accounts) and to start the necessary actions to recover from the breach, if any.

I. Transfer of Personal Data to Third Parties

proxy use case:


CHECK 1:

  • assess that the metadata contains the Sirtfi EntityAttribute as follows:

OPTION1 (both Sirtfiv1 and V2):

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:uri"
Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
<saml:AttributeValue>https://refeds.org/sirtfi2
</saml:AttributeValue>
<saml:AttributeValue>https://refeds.org/sirtfi
</saml:AttributeValue>
</saml:Attribute>

OPTION 2 (Sirtfiv1)

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:uri"
Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
<saml:AttributeValue>https://refeds.org/sirtfi
</saml:AttributeValue>
</saml:Attribute>


OPTION 2 (Sirtfiv2)

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:uri"
Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
<saml:AttributeValue>https://refeds.org/sirtfi2
</saml:AttributeValue>
</saml:Attribute>

CHECK 2: 

  • assess that the metadata contains the Sirtfi security contact with value:

    <md:ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">

      <md:EmailAddress>mailto:<EMAIL_ADDRESS></md:EmailAddress>
    </md:ContactPerson>if none of the Attributes received from the Home
Organisation are being passed on, e.g. when only an internal
identifier assigned by the proxy is sent to the third parties, the proxy
does not need to make sure those third parties are committed to the
Code of Conduct.



References

[CoCov2]

https://refeds.org/category/code-of-conduct/v2

[CoCov2-SP-ECBP]

https://refeds.org/category/code-of-conduct/v2/wp-content/uploads/2022/05/REFEDS-CoCo-Best-Practicev2.pdf

[CoCov2-HomeOrg]

https://wiki.refeds.org/display/CODE/Good+practice+for+Home+organisations