Child pages
  • Regionals K-12 IdPs Use Case INITIAL DRAFT Recommendation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. A new inCommon entity attribute should be defined that specifies that an InCommon Service Provider (SP) is Children's Online Privacy Protection Act (COPPA) compliant.
  2. InCommon should provide a mechanism for InCommon SPs to self-assert that they are COPPA-compliant and wish to add the attribute to the InCommon metadata.  The attribute will only be present in the metadata if the Service Provider has self-asserted that the site is COPPA compliant.
  3. The Participation Agreement that is signed by the Regionals K-12 Identity Providers includes language that prohibits these IdPs from releasing any unique or persistent attribute about any individual who is subject to COPPA unless the SP asserts the COPAACOPPA-compliant attribute in the InCommon metadata.  A bilateral contract between the IdP and SP can also be used to meet the requirement of this section 3 without the presence of the SP COPPA-compliant entity attribute.
  4. MACE-DIR should be asked to define a new eduPerson attribute that can optionally be used by any IdP to state that the individual being authenticated is known not to be subject to COPPA.  There are anticipated applications where this type of attribute will be useful and enable Service Providers to act differently for younger children.  This group recommends that MACE-DIR consider making the optional nature of this attribute part of the definition to ensure that SPs know to always act in a COPPA-safe way unless the attribute is present.  We expect that some K-12 IdPs will not have the data needed to properly assert the attribute and that others may choose to limit its use to cases where a bilateral contract is in place.