...
Service Providers are already bound by the requirements of the InCommon Federation: Participation Agreement. For the purposes of R&S, they should pay particular attention to Section 9:
| Info |
|---|
9. Respect for Privacy of Identity Information Participant agrees to respect the privacy of and any other constraints placed on identity information that it might receive from other InCommon Participants as agreed upon between Participant and the InCommon Participant(s). In particular, Participant understands that it may not permanently store nor share or disclose or use for any purpose other than its intended purpose any identity information that it receives from another InCommon Participant without express written permission of the other InCommon Participant. Participant understands that the storing and sharing of resources is between the Participant and the InCommon Participant(s) and is not the responsibility of InCommon. InCommon strongly recommends that Resource provider systems may cache temporarily identity attributes/credentials that are supplied by IdMs for operational efficiency or sequential, repeated authentication purposes within a given session or reasonable length episode. InCommon further recommends that any shared attributes/credentials should not be used for any purpose other than the original purpose or intent, and that such attributes/credentials should be destroyed at the end of the session or episode in which they are needed. This temporary storage of credentials shall not be deemed as permanent storage for the purposes of this Agreement. |
In addition, Service Providers must comply with the following requirements:
...