This is a minor update of the v20181207 version to reflect recent changes.

The South African Identity Federation (SAFIRE) exists to simplify access to content, services and resources for the global research and education community.

The basic principle underpinning the security of SAFIRE is that the authentication of a user is carried out at his/her home institution (Identity Provider, IdP) using the institution’s specific authentication method. The authorisation required to allow access to the requested service is carried out by the service provider (SP). Thus whilst SAFIRE is operated by TENET, the service as it appears to end-users consists of many legal entities.

Changes to the Metadata Registration Practice Statement must reach rough consenus/no opposition at the SAFIRE service advisory group. This version is aligned with the 2025 baseline changes

Definitions and terminology

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in BCP 14¹.

Changes to the Requirements for SAML2 Identity Providers that are purely technical must reach rough consensus/no opposition among SAFIRE’s service advisory group. Changes to the administrative requirements are synchronised with the Metadata Registration Practice Statement. This version is aligned with the 2025 baseline changes.

The following describes the technical and administrative checks made before an identity provider is admitted into the SAFIRE federation within the SAML2 Technology Profile. It also serves as a checklist for identity provider operators for assessing their readiness to participate.

Changes to the Requirements for SAML2 Service Providers that are purely technical must reach rough consensus/no opposition among SAFIRE’s service advisory group. Changes to the administrative requirements are synchronised with the Metadata Registration Practice Statement. This version is aligned with the 2025 baseline changes.

The following describes the technical and administrative checks made before a service provider is admitted into the SAFIRE federation within the SAML2 Technology Profile. It also serves as a checklist for service provider operators for assessing their readiness to participate.

As a revision to the previous version, this ARP refines the REFEDS entity-category based release and makes provision for anonymous and pseudonymous release.

Management of attribute release to Service Providers has been delegated to the Federation Operator in terms of the Participation Agreement.

Attribute Release Profiles

Through a community consensus process, the following attribute release profiles have been approved:

Changes to the Metadata Registration Practice Statement that are purely technical in nature must reach rough consenus/no opposition at the SAFIRE Participants’ Forum. All other changes are approved by the SAFIRE Steering Committee. This version reached rough consensus on 5 May 2021, subject to revisions by the REFEDS MPRS working group that were completed in 2024..

Definitions and terminology

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in BCP 14¹.

As a revision to the previous version, this ARP allows affiliation CoCoV2 providers to receive the attributes the request.

Management of attribute release to Service Providers has been delegated to the Federation Operator in terms of the Participation Agreement.

Attribute Release Profiles

Through a community consensus process, the following attribute release profiles have been approved:

Federation is a complex space, and South Africa is grappling with the implication of new privacy legislation. Whilst we’ve tried to make SAFIRE’s Participation Agreement easy for the likely signatory — a federation layman — to understand, experience has shown that there are sometimes misunderstandings of the technology and gaps in interpretation. This document is intended to consolidate that experience into a practice note for legal departments and other people trying to make sense of the SAFIRE Participation Agreement.

The SAML2 IdP and SP requirements have been updated to clarify certificate expectations.

Changes to the Requirements for SAML2 Service Providers that are purely technical must reach rough consensus/no opposition among SAFIRE’s service advisory group. Changes to the administrative requirements are synchronised with the Metadata Registration Practice Statement. This version reached rough consensus on 30 November 2023.

The following describes the technical and administrative checks made before a service provider is admitted into the SAFIRE federation within the SAML2 Technology Profile. It also serves as a checklist for service provider operators for assessing their readiness to participate.