What is the background and purpose for developing the Baseline Expectations program?
The background, philosophy, and strategic direction of the program is in the document, "Baseline Expectations for Trust in Federation: Increasing Trust and Interoperability in InCommon."
I have heard there are required metadata elements as part of Baseline, as well as recommended elements. Please clarify.
Required elements include three types of contacts (technical, admin, and security), MDUI (Metadata Uner Interface) information, and a URL pointing to a privacy policy. These are listed in the Baseline Expectations foundational document. In addition, we recommend including an error URL to provide a landing page for users to determine where to get help. InCommon has published a high-level document, "Baseline Expectations for InCommon Execs," that provides a description and purpose of each required and recommended element.
Do the Baseline Expectations include requirements for endpoints in metadata?
There are no specific requirements for endpoints as part of the Baseline Expectations. However, InCommon Operations has requirements and recommendations for endpoints documented in the wiki, https://spaces.at.internet2.edu/x/IImKAQ
Do you have examples of XML syntax for placing the required elements in metadata?
You should not need to understand XML syntax for this purpose. An InCommon site administrator can edit and update metadata using the Federation Manager web interface. Information about each element in metadata, include those that are part of Baseline, is also available on the wiki.
I'm getting questions about including a logo. What is the logo used for?
The logo significantly improves the user experience. When signing in, the user is presented with a discovery page. Having logos associated with each organization name makes for much faster scanning, so the user can pick out the appropriate organization quickly and continue with the sign-in process.
What's this "SIRTFI" thing? Is that a Baseline Expectation?
SIRTFI (Security Incident Response Trust Framework for Federated Identity) is an international standard that enables coordination of incident response across federated organizations. While adopting the SIRTFI framework is not a requirement of Baseline Expectations, including a security contact in metadata is a requirement. InCommon supports the SIRTFI framework and encourages all participants to adopt the framework and self-assert that fact via the Federation Manager.
Do you have any examples of privacy policies?
We have had a lot of questions about privacy policies and whether there are examples. Most organizations have an existing privacy policy for how user data will be handled. We encourage you to point at an existing policy with the privacy URL, rather than create a new policy.