...
Requirements for the R&S Category
Service Providers are already bound by the requirements of the InCommon Federation: Participation Agreement. For the purposes of R&S, they should pay particular attention to Section 9:
| Info |
|---|
9. Respect for Privacy of Identity Information Participant agrees to respect the privacy of and any other constraints placed on identity information that it might receive from other InCommon Participants as agreed upon between Participant and the InCommon Participant(s). In particular, Participant understands that it may not permanently store nor share or disclose or use for any purpose other than its intended purpose any identity information that it receives from another InCommon Participant without express written permission of the other InCommon Participant. Participant understands that the storing and sharing of resources is between the Participant and the InCommon Participant(s) and is not the responsibility of InCommon. |
In addition, Service Providers must comply with the following requirements:
...
R&S category SPs may request other attributes, but IdP operators will likely require a prior agreement before releasing additional attributes.
With respect to attributes, note that InCommon Service Providers are already bound by the requirements of the InCommon Federation Participation Agreement. For the purposes of R&S, participants should pay particular attention to Section 9 of that document:
| Info |
|---|
9. Respect for Privacy of Identity Information Participant agrees to respect the privacy of and any other constraints placed on identity information that it might receive from other InCommon Participants as agreed upon between Participant and the InCommon Participant(s). In particular, Participant understands that it may not permanently store nor share or disclose or use for any purpose other than its intended purpose any identity information that it receives from another InCommon Participant without express written permission of the other InCommon Participant. Participant understands that the storing and sharing of resources is between the Participant and the InCommon Participant(s) and is not the responsibility of InCommon. |
It is therefore highly recommended that SPs use a minimalist approach to attributes, only requesting those attributes that they absolutely need. In the future, if InCommon interfederates with federations in other parts of the world, IdPs in other countries may be operating under laws and regulations that require such a minimalist approach.
...