SAFIRE baseline changes

Following a period of consultation and starting from 31 March 2021, we’ve made several changes to SAFIRE’s idp- & sp-requirements and to the minimum attributes required for participation.

The changes all have one thing in common: they raise the “baseline” or minimum set of standards required for participation in our Federation. This is, in turn, to ensure SAFIRE’s continued relevance and interoperability with the global federation community through e.g. eduGAIN. The changes are summarised below:

Changes affecting identity providers

Minimum attribute set

With effect from 31 March, the displayName and eduPersonScopedAffiliation attributes become a mandatory part of the minimum attribute set.

To allow for existing providers to adapt their configurations, enforcement of these requirements for existing providers will only start from 1 June 2021. However, new identity providers are expected to comply from 31 March.

To date SAFIRE has autogenerated both these attributes from other information if they were not present in an identity provider’s assertions. From 31 March, SAFIRE will no longer generate displayName; from 1 September 2021 1 November 2021, SAFIRE will no longer generate eduPersonScopedAffiliation.

MDUI improvements

The requirements for identity providers have been updated to make the following MDUI elements mandatory:

  • <mdui:DisplayName>
  • <mdui:Description>
  • <mdui:Logo> - see full details in the requirements.

Security contact mandatory

It is now mandatory to include a <md:ContactPerson> element conforming to the REFEDS Security Contact Metadata Extension that reflects the entity’s security contact. This change is intended to improve incident response capability, and is a step towards mandating Sirtfi compliance for all SAFIRE participants.

From 31 March, all new identity providers will be required to have such a contact. Existing providers have until 1 August to make the necessary changes to their own metadata, and can expect to be contacted in this regard.

Changes affecting service providers

MDUI improvements

As with identity providers, the requirements for service providers have been updated to make the <mdui:Logo> element mandatory.

It is strongly recommended that service providers include a <md:ContactPerson> element conforming to the REFEDS Security Contact Metadata Extension that reflects the entity’s security contact, and we will request such a contact during onboarding. While not mandatory at this stage, it is likely to become mandatory in future.

Recording the basis for processing

From 31 March, we will record the typical basis for processing where a service provider requests personally-identifying information. This is for improved compliance with South Africa’s Protection of Personal Information Act, which commenced last year.

South African Identity Federation