GÉANT Data Protection Code of Conduct SAML 2.0 profile

Similar documents
edugain Policy Framework SAML Profile

SAML v2.0 Protocol Extension for Requesting Attributes per Request Version 1.0

Identity Harmonisation. Nicole Harris REFEDS Coordinator GÉANT.

Session 2.1: Federations: Foundation. Scott Koranda Support provided by the National Institute of Allergy and Infectious Diseases

SAML v2.0 Protocol Extension for Requesting Attributes per Request Version 1.0

Request for Comments: ISSN: S. Cantor Shibboleth Consortium August 2018

SAML v2.0 Protocol Extension for Requesting Attributes per Request Version 1.0

SAML V2.0 Metadata Extensions for Login and Discovery User Interface Version 1.0

Advanced Configuration for SAML Authentication

Research Collaboration IAM Needs

Federation Operator Practice: Metadata Registration Practice Statement

Federation Operator Practice: Metadata Registration Practice Statement

The Challenges of User Consent

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

egov Profile SAML 2.0

SWAMID Person-Proofed Multi-Factor Profile

OIO Bootstrap Token Profile

National Identity Exchange Federation. Terminology Reference. Version 1.0

Configuration Guide - Single-Sign On for OneDesk

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

IdP User Consent. Part 1: Overview of user consent in IdP version 3 Part 2: Technical bits. Transparency for attribute release

SWAMID Identity Assurance Level 2 Profile

Oracle Utilities Opower Solution Extension Partner SSO

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

Federation Operator Practice: Metadata Registration Practice Statement

Attribute Specification for the Swedish eid Framework

saml requesting attributes v1.1 wd01 Working Draft January 2016 Standards Track Draft Copyright OASIS Open All Rights Reserved.

eidas Interoperability Architecture Version November 2015

SAML V2.0 Deployment Profiles for X.509 Subjects

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

The EGI AAI CheckIn Service

SETUP GUIDE PPP FOR PPP USERS PLANT PROTECTION PRODUCTS VERSION 0.4

Attribute Release Update

RSA SecurID Access SAML Configuration for Brainshark

Attribute Profile. Trusted Digital Identity Framework August 2018, version 1.0

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

SAML Profile for Privacy-enhanced Federated Identity Management

Level of Assurance Authentication Context Profiles for SAML 2.0

APPENDIX 2 Technical Requirements Version 1.51

Test Plan for Kantara Initiative Test Event Test Criteria SAML 2.0

SAML V2.0 Profile for Token Correlation

SAML-Based SSO Solution

National Identity Exchange Federation. Web Services System- to- System Profile. Version 1.1

Identity Provider for SAP Single Sign-On and SAP Identity Management

SELF SERVICE INTERFACE CODE OF CONNECTION

EGI AAI Platform Architecture and Roadmap

Certification Final Report SAML 2.0 Interoperability Test Third Quarter 2008 (3Q08) Sept. 17, 2008

OIOSAML Basic Privilege Profile. Version 1.0.1

Stakeholder and community feedback. Trusted Digital Identity Framework (Component 2)

Scalable Negotiator for a Community Trust Framework in Federated Infrastructures (Snctfi)

OMA-ETS-DL-OTA-v1_ a Page 1 (24)

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

Can R&E federations trust Research Infrastructures? - The Snctfi Trust Framework

An introduc/on to Sir0i

Adding Research Datasets to the UWA Research Repository

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Morningstar ByAllAccounts SAML Connectivity Guide

D. Crocker, Ed. Updates: RFC4871 June 10, 2009 (if approved) Intended status: Standards Track Expires: December 12, 2009

PRIVACY NOTICE Olenex Sarl

Identity and Access Management. User Guide. Issue 09 Date

1. General requirements

SAML-Based SSO Solution

1) The Definition of Personal Data, the Legal Basis of Data Processing, the Concepts of Data Controller and Data Processor

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Some Notes on Metadata Interchange

Federation Technical Specifications

GMO Register User Guide

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

BELNET R&E federation Technical policy

Certification Final Report SAML 2.0 Interoperability Test Fourth Quarter 2007 (4Q07) Dec. 13, 2007

SAP Single Sign-On 2.0 Overview Presentation

Emsi Privacy Shield Policy

Implementation profile for using OASIS DSS in Central Signing services

eidas-node Error Codes

SAML-Based SSO Configuration

This topic discusses what's required of SAML IdPs in general and provides a step-by-step procedure for setting up a OneLogin IdP.

Metadata for SAML 1.0 Web Browser Profiles

Metadata for SAML 1.0 Web Browser Profiles

Shibboleth authentication for Sync & Share - Lessons learned

Lightweight Machine to Machine Architecture

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

Trust Services for Electronic Transactions

SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY. ITU-T X.660 Guidelines for using object identifiers for the Internet of things

SAML 2.0 Profile. Trusted Digital Identity Framework August 2018, version 1.0

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

AARC Blueprint Architecture

Federation Metadata Document Structure Proposal

Mitel MiContact Center Enterprise WEB APPLICATIONS CONFIGURATION GUIDE. Release 9.2

Cache Operation. Version 31-Jul Wireless Application Protocol WAP-175-CacheOp a

ARTICLE 29 DATA PROTECTION WORKING PARTY

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

Liberty Alliance Project

Application Notes for CounterPath Bria Desktop v4.5 with Avaya Aura Presence Services Snap-in running on Avaya Breeze TM Platform- Issue 1.

MyWorkDrive SAML v2.0 Azure AD Integration Guide

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Oracle Hospitality Materials Control Release Notes. Release 8.32

About Configuring Oracle Access Manager

The challenges of (non-)openness:

Saba Hosted Customer Privacy Policy

Transcription:

1 2 3 GÉANT Data Protection Code of Conduct SAML 2.0 profile 4 5 6 For Service Providers established in European Union, European Economic Area and countries with adequate data protection pursuant to Article 25.6 of the directive 95/46/EC Version 1.0 Errata 1, 10 June 2014 7 8 9 10 DANTE on behalf of the GN3plus project. Used under a Creative Commons Attribution ShareAlike license (CC BY-SA 3.0). The work leading to these results has received funding from the European Community s Seventh Framework Programme (FP7 2007 2013) under Grant Agreement No. 605243 (GN3plus). 11

12 1. Introduction 13 14 15 16 17 18 19 20 21 22 23 24 25 26 This profile defines REQUIRED, RECOMMENDED, and OPTIONAL behavior for deployments supporting the Data Protection Code of Conduct. This deployment profile is based on the Organization for the Advancement of Structured Information Standards (OASIS) SAML 2.0 specifications [SAML2 Core, SAML2META]. It also references elements defined in [SAML2MDUI], and makes use of an Entity Category element defined in Entity Category Specification: Data Protection Code of Conduct [CoCEntityCategory]. The requirements from those specifications are not repeated here except where deemed necessary to highlight a point of discussion or draw attention to an issue addressed in errata, but remain implied. This document is supplemented by the non-normative Notes on Implementation of INFORM/CONSENT GUI Interfaces [CoCGUI] document which outlines the current best practice in the implementation and deployment of Identity Provider side modules for attribute release and user consent. Note that the SAML features that are optional, or lack mandatory processing rules, are assumed to be optional and out of scope of this profile if not otherwise precluded or given specific processing rules. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. 27 2. SAML Metadata Requirements for SP Entities 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 1. mdui Requirements: 1. SPs MUST provide at least one mdui:privacystatementurl value. 2. It is RECOMMENDED that SPs provide at least one mdui:displayname value. 3. It is RECOMMENDED that SPs provide at least one mdui:description value. 4. For all mdui elements, at least an English version of the element MUST be available, indicated by an xml:lang="en" attribute. 2. Attribute-related Requirements: 1. SPs MUST provide RequestedAttribute elements describing attributes (and, optionally, requested values) relevant for the SP. The RequestedAttribute elements MUST include the optional isrequired="true" to indicate that the attribute is necessary. 2. If the SP requires just one or some particular value(s) of an attribute (such as, edupersonaffiliation="member"), the SP MUST use the saml:attributevalue element to indicate that value(s). 3. SPs MUST provide an Entity Category attribute [CoCEntityCategory] value asserting compliance with the Code of Conduct.

43 2.1 Display name 44 45 46 47 A short descriptive name of the service, if possible without abbreviations. It SHOULD be meaningful both to the users of the service and to readers not affiliated with the service. This value may be displayed by various GUIs in order to identify the service. Examples: 48 Helsinki University's Moodle learning management system 49 University of Tübingen's Weblicht tool for linguistics research 50 2.2 Description 51 52 53 54 55 56 A description which summarises the service provided. It SHOULD be meaningful both to the users of the service and to readers not affiliated with the service. This value may be displayed by various GUIs in order to summarise the purpose for which the service processes personal data. It is RECOMMENDED that the length of the description is no longer than 140 characters. Examples: 57 SAS-download gives access to SAS -software for qualified users. 58 59 bibliotek.dk gives access to all public Danish libraries, and allows users to search for and order materials. 60 61 WebLicht is a chaining tool for linguistics research. It provides an execution environment for automatic annotation of text corpora. 62 2.3 Privacy Statement URL 63 64 65 66 67 68 A URL which resolves to a document that is the service's Privacy Policy. This value may be displayed by various GUIs as a clickable link for the end user to provide more information on how the service processes personal data. See Privacy policy guidelines for Service Providers [CoCPrivacyPolicy] for more information. The PrivacyStatementURL MUST resolve to a document which is available to browser users without requiring authentication of any kind.

69 2.4 Requested Attribute 70 71 72 73 Zero or more elements specifying attributes and, when applicable, attribute values requested by this service. Having no RequestedAttribute element in place implies the service does not request any attributes. If the Service Provider supports both SAML 1.x and SAML 2.0 protocols, it SHOULD list requested attributes using only the SAML 2.0 attribute naming conventions [MACEDirAttrProf]. 74 75 76 77 Note: The underlying SAML 2.0 metadata standard is unable to express the attribute requirements of such a Service Provider. The recommendation above is intended to minimise the chance of interoperability problems arising. It is further RECOMMENDED that such a Service Provider uses the SAML 2.0 protocol when possible rather than SAML 1.x. 78 79 80 81 82 83 84 85 86 87 88 A necessary attribute is indicated using the isrequired="true" XML attribute. In the context of this Data protection Code of Conduct, an attribute is required only if it is both relevant and necessary for enabling access to the service. isrequired="false" or a missing isrequired XML attribute indicates the attribute is optional (relevant, but only useful or desirable). See What attributes are relevant for a Service Provider [CoCAttributes] document for assistance on the necessary and optional attributes. See also Data protection good practice for Home Organisations [CoCHomeOrg] document for a good practice on managing the release of attributes flagged as necessary or optional. Note: Introduction to Code of Conduct [CoCIntroduction] proposes to defer the support to attributes flagged as optional to Phase 2. 89 2.5 Entity Category: Data protection Code of Conduct 90 91 An Entity Category attribute as defined in the Entity Category Specification: Data Protection Code of Conduct [CoCEntityCategory]. 92 3. SAML Metadata Requirements for IDP Entities 93 Currently, there are no metadata requirements for IDPs.

94 4. Examples 95 Only related elements and attributes are presented. 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 <EntityDescriptor xmlns="urn:oasis:names:tc:saml:2.0:metadata" entityid="https://filesender.example.org/"> <Extensions> <EntityAttributes xmlns="urn:oasis:names:tc:saml:metadata:attribute"> <Attribute xmlns="urn:oasis:names:tc:saml:2.0:assertion Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <AttributeValue>http://www.geant.net/uri/dataprotection-code-of-conduct/v1</AttributeValue> </Attribute> </EntityAttributes> </Extensions> <SPSSODescriptor> <Extensions> <UIInfo xmlns= urn:oasis:names:tc:saml:metadata:ui > <DisplayName xml:lang="fi">filesender</displayname> <DisplayName xml:lang="en">filesender</displayname> <Description xml:lang="fi">filesender tarjoaa helpon tavan jakaa suuria tiedostoja.</description> <Description xml:lang="en">filesender offers an easy way to share large files with anyone.</description> <PrivacyStatementURL xml:lang="fi">https://filesender.example.org/privacy-fi.html</privacystatementurl> <PrivacyStatementURL xml:lang="en">https://filesender.example.org/privacy-en.html</privacystatementurl> </UIInfo> </Extensions> <AttributeConsumingService> <RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isrequired="true"/> <RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isrequired="true"/> <RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isrequired="true"/> </AttributeConsumingService> </SPSSODescriptor> </EntityDescriptor>

136 References 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 [CoCAttributes] Data protection Code of Conduct, What Attributes Are Relevant for a Service Provider, <https://refeds.terena.org/index.php/what_attributes_are_relevant_for_a_service_provider> [CoCEntityCategory] Data protection Code of Conduct, Entity Category Specification, Version 1.0, 14 June 2013 [CoCGUI] Data protection Code of Conduct, Notes on Implementation of INFORM/CONSENT GUI Interfaces, <https://refeds.terena.org/index.php/notes_on_implementation_of_inform/consent_gui_i nterfaces> [CoCHomeOrg] Data protection Code of Conduct, Data Protection Good Practice for Home Organisations, <https://refeds.terena.org/index.php/data_protection_good_practice_for_home_organisations > [CoCIntroduction] Data protection Code of Conduct, Introduction to Code of Conduct, <https://refeds.terena.org/index.php/introduction_to_code_of_conduct> [CoCPrivacyPolicy] Data protection Code of Conduct, Privacy Policy Guidelines for Service Providers, <https://refeds.terena.org/index.php/privacy_policy_guidelines_for_service_providers> [MACEDirAttrProf] MACE-Dir, SAML Attribute Profiles, April 2008. [SAML2 Core] OASIS, Assertions and Protocol for the OASIS Security Markup Language (SAML) V2.0,, 15 March 2005. Document Identifier: saml-core-2.0-os, <http://docs.oasisopen.org/security/saml/v2.0/saml-core-2.0-os.pdf> [SAML2META] Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0, with various addenda, and in associated specifications. [SAML2MDUI] SAML V2.0 Metadata Extensions for Login and Discovery User Interface Version 1.0. 158 Document History 159 160 161 Changes from Version 1.0, 14 June 2013 Removed white space characters from the <AttributeValue>, <mdui:displayname>, <mdui:description> and <mdui:privacystatementurl> elements in the Examples section and reformatted the example.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback