Attribute Release Policy v20240322

As a revision to the previous version, this ARP allows affiliation CoCoV2 providers to receive the attributes the request.

Management of attribute release to Service Providers has been delegated to the Federation Operator in terms of the Participation Agreement.

Attribute Release Profiles

Through a community consensus process, the following attribute release profiles have been approved:

Default

The Default release profile used when no other attribute release policy is defined:

Research & Scholarship

The Research & Scholarship release profile used when a service provider is tagged with the research and scholarship entity category (https://refeds.org/category/research-and-scholarship), but no negotiated service-specific attribute release policy is specified:

REFEDS Code of Conduct v2

Service providers that do not have a negotiated service-specific attribute release policy and that are tagged with the REFEDS Data Protection Code of Conduct v2 entity category (https://refeds.org/category/code-of-conduct/v2) will receive any supported attributes they request.

CoCo providers have demonstrated compliance with the European General Data Protection Regulation (GDPR) and have commited to a voluntary Code of Conduct drafted by the research federation community. They request only the minimal set of attributes required to make their service function. Such providers must have a privacy notice, and a link to this will be displayed to end users during the login process.

Negotiated

Individual service providers can negotiate a customised attribute release policy on a per-entity basis, based on the principle of minimality — requested attributes must be adequate, relevant, and not excessive.

A list of all supported attributes is available.

We are unlikely to release personally-identifiable information unless the service provider’s metadata includes a <mdui:PrivacyStatementURL xml:lang="en"> element that points to a privacy notice that explains how the requested attributes will be used, preferably written in plain English. This is a requirement for SAFIRE-registered service providers.

Inter-federation

The release profiles above apply irrespective of whether we learn about a service provider via inter-federation (e.g. eduGAIN) or whether they are direct participants. This means that, for example, service providers tagged as meeting the Research & Scholarship requirements by another federation will automatically have our Research & Scholarship release profile applied.

However, in practice, how we apply the Negotiated release profile differs depending on whether we’ve learnt about a service provider via inter-federation or whether they’re a direct participant.

For service providers learnt via inter-federation we are generally willing to negotiate attribute release of any attributes listed in the Research & Scholarship profile provided that at least one participating identity provider has expressed interest in using the service. Service providers who require more attributes than the R&S profile supports may be requested to join the Federation as a direct participant, particularly where those attributes constitute personal information.

South African Identity Federation