...
InCommon is implementing a simplified and scalable approach to this problem through the specification of a "Research and Scholarship (R&S)" category for SPs. All InCommon SPs have already agreed to a set of practices governing how they manage and use personal attributes. To qualify for inclusion in the R&S category, SPs comply with an additional set of criteria that are designed to facilitate IdP policy decisions to release a controlled set of low-risk attributes to R&S SPs without local review for each SP. InCommon provides metadata and technology tools to further facilitate automatic, but controlled, release of attributes to the R&S SPs, as well as aiding user support.
IDPs can simplify the management of their Attribute Release Policies by taking advantage of the R&S category. With a one-time addition to their default release policies they can specify a set of attributes to release to all SPs that are in the R&S category. This policy would apply to SPs that are added to the category in the future, without the IDP administrator having to make any changes.
This Research and Scholarship Category Pilot will include a small number of SPs and IdPs to test this approach, recommending modifications to the specifications described here, as appropriate. The following are the participants in this pilot:
...
Requirements for the R&S Category
In addition to Service Providers are already bound by the requirements outlined in of the InCommon Federation: Participation Agreement. For the purposes of R&S, they should pay particular attention to Section 9:
9. Respect for Privacy of Identity Information
Participant agrees to respect the privacy of and any other constraints placed on identity information that it might receive from other InCommon Participants as agreed upon between Participant and the InCommon Participant(s). In particular, Participant understands that it may not permanently store nor share or disclose or use for any purpose other than its intended purpose any identity information that it receives from another InCommon Participant without express written permission of the other InCommon Participant. Participant understands that the storing and sharing of resources is between the Participant and the InCommon Participant(s) and is not the responsibility of InCommon.
InCommon strongly recommends that Resource provider systems may cache temporarily identity attributes/credentials that are supplied by IdMs for operational efficiency or sequential, repeated authentication purposes within a given session or reasonable length episode. InCommon further recommends that any shared attributes/credentials should not be used for any purpose other than the original purpose or intent, and that such attributes/credentials should be destroyed at the end of the session or episode in which they are needed. This temporary storage of credentials shall not be deemed as permanent storage for the purposes of this Agreement.
In addition, Service Providers must comply with the following requirements:
...
- Federation Metadata
- Service Providers
- There are no technical requirements for SPs, other than those described above in "Requirements for the R&S Category."
- Identity Providers
- DRAFT Guidance for IdPsIdP