As part of the eduGAIN Strategy, we are committed to improving the basic standards of security, authenticity, accuracy and interoperability of metadata within eduGAIN and to providing greater consistency in information held about entities in eduGAIN. 

For this to be achieved, a GOAL was set to improve the baseline standards for security, data protection and assurance across all entities published to eduGAIN.

As part of the proposed roadmap for delivery the eduGAIN Strategy, a phased approach has been proposed to improve the quality of data in metadata. 


RequiurementSecurityPrivacyAssurance
1Require security contacts and commitment to incident response for federationsRequire privacy notice and completion of mdui:PrivacyStatementURL for all enties

require expression of RAF information  / ability to assert https://refeds.org/assurance for all Identity Providers. 

  1. Your Identity Provider is operated with organisational-level authority.
  2. Your Identity Provider is trusted enough to be used to access your organisation’s own systems.
  3. You publish contact information for your Identity Provider and respond ina timely fashion to operational issues.
  4. You apply security practices to protect user information, safeguard transaction integrity, and ensure timely incident response.
  5. You ensure the metadata registered in Federation is complete, accurate and up to date.
2Require security contacts and commitment to incident response for all entities
require expression of identifier uniqueness   / ability to assert: https://refeds.org/assurance/ID/unique
3Require Sirtfi for all entities 
require minimum RAF level - TBD. 

Proposed Approach

PhaseRequirementDeadlineComments
1Require security contacts and commitment to incident response for federations31st December 2025Complete, target achieved 
2

Require security contacts and commitment to incident response for all entities

Require privacy notice and completion of mdui:PrivacyStatementURL for all entities

Require expression of RAF information  / ability to assert https://refeds.org/assurance for all Identity Providers. 

31st December 2026

Proposed  - is it too much to include RAF in this year? Could be rolled to 2027

I think we can discuss this. I would not dilute it too much though. Maybe we could move RAF base requirement to 2027-Q1? (Davide)

I'm happy to move requirements of identity assurance to date further along, end of Q2 or Q4 2027? (Pål)

3

Require Sirtfi for all entities

Require expression of identifier uniqueness   / ability to assert: https://refeds.org/assurance/ID/unique

31st December 2027+1 (Davide and Pål)
4

Require minimum RAF level - TBD. 


This still needs significant scoping work

A base level would of course be IAP/low. A way to scope this is 1. usefulness (what's really needed?) - 2. what's current industry standard? for example Google, Amazon, MS, etc have now better vetting processes.
All in all I would exclude any "what is reasonably achievable" parameter, or we risk to simply drop it. (Davide)

Are we talking about only IAP or also identifier uniqueness? I'm happy on both due to uniqueness seams very important. (Pål)

Process

  • Requirements will be announced  by the Secretariat and appropriate amendments made the SAML Technical Profile. 
  • Federations will be asked to remove all entities that do not meet these standards by the deadline or (or they will be filtered by eduGAIN OT?).


  • No labels