This article is a part of a document curated under the Internet2 Trust and Identity Document Stewardship program. It has been reformatted for web display and may contain additional annotation. . Download the official text from the Internet2 Trust and Identity Document Repository at

Implementation Guidance
  1. All entity (IdP and SP) service endpoints must be secured with current and trustworthy transport layer encryption.

  2. Every entity (IdP and SP) complies with the requirements of the Sirtfi v1.0 trust framework when processing federated single sign-on events.

  3. Identity Provider must include an errorURL in its metadata.


2. Every entity (IdP and SP) complies with the requirements of the SIRTFI v1.0 trust framework.


2.1 What is SIRTFI?

The SIRTFI trust framework enables coordinated response to security incidents in a federated context that does not depend on a centralized authority or governance structure to assign roles and responsibilities for doing so. It does so through a set of self-asserted capabilities and roles associated with an IdP or SP organization’s federated entities.

2.2 Who does this apply to?

This requirement applies to all entities (IdPs and SPs) registered with the InCommon Federation. As SIRTFI is designed to enable coordination of security incident response across federated organizations, these requirements only apply when the entity is involved in a federated SSO event in the InCommon Federation.

2.3 How do I meet this requirement?

To meet this requirement, the operator of the IdP or SP implements the practices specified in the Security Incident Response Trust Framework for Federated Identity v1.0 [SIRTFI]. See the SIRTFI FAQ [SIRTFIFAQ] for additional details:

To signal their conformance, the Site Administrator (SA) or Delegated Administrator (DA) MUST check the “Complies with SIRTFI” checkbox for each entity in the InCommon Federation. The SA or DA also MUST make sure that the Security Contact registered in the metadata can function as the incident contact described in the Sirtfi framework (section 2.2 Incident Response).

2.4 Implementation Guidance for Federation Operator

Modify Federation Manager to require Sirtfi for all entities

InCommon SHALL update Federation Manager to require all newly registered entities (IdP and SP) to check the “Complies with SIRTFI” checkbox effective when InCommon transitions to Baseline Expectations 2.

InCommon SHALL update Federation Manager to warn the Site Administrator of any existing entities that have not checked the “Complies with SIRTFI” checkbox. It SHALL further update Federation Manager by BE2’s adherence deadline to perform the following:

  • require all entities to check the “Complies with SIRTFI” checkbox;

  • introduce language in Federation Manager to inform the SA of the obligations they are accepting by checking the box, as well as follow up instructions should the SA have questions;

  • introduce a mechanism to notify the InCommon Exec when the SA accepts the SIRTFI requirements.

    InCommon SHALL generate reports of entities (and associated contact information) currently not meeting this requirement to facilitate outreach and mitigation.

<< Back to Encrypt Entity Service Endpoints | Continue to IDP Metadata Must Have an Error URL >>

  • No labels