Authentication sources and Collaboration Management should abide by the minimum requirements and recommendations for the secure operation of Attribute Authorities [see Resources], and similar services providing statements for obtaining access to Infrastructure services.
To make safe authorisation decisions, Relying Parties need to be able to identify and trust the issuer or provider of an attribute assertion, and know to which Collaboration it pertains. In a typical scenario, a Collaboration designates one or more AA Operators to operate AAs, and informs Relying Parties of any related metadata necessary for Relying Parties to connect to or use the AA. The attributes are securely held by the AA and delivered on request to authorised Relying Parties, either directly or by way of the user.
These attributes may be aggregated with identity assertions, such as delivered from a directory or group management system, or with attribute or capability tokens as asserted by an AARC BPA Proxy.
Stated compliance with these guidelines may help to establish trust between the Community and its AA, and Relying Parties. In the interest of scalability, these guidelines are intended to facilitate the assessment of AA Operators rather than individual AAs or Communities. This document does not provide guidance on the management (life cycle, technical implementation, exchange protocols etc.) of attributes nor the processes by which attributes are entered into the AA.
The AAOPS document
Resources
AARC-G071 Guidelines for Secure Operation of Attribute Authorities