InCommon enables service providers and identity providers to share the support burden. Recognizing this shared responsibility to coordinate with your partners will greatly improve your users' experience, as well as decreasing the effort required of you to support those users. The following are examples of that sharing.
In order to avoid user confusion, responsibility for user support must be clearly delineated. Bear in mind that identity providing organizations will not have deep (or even shallow) knowledge of the services their users access, unless specific arrangements have been made. In general, those who operate IdPs will expect to be responsible for the user interactions required to complete authentication, and service providers will expect to be responsible for user interactions after receiving the information they need from the IdP. For that reason, make sure that information is provided to end users within login flows to clarify whom to contact at each point in the flow. Also ensure that help desk personnel can route support issues appropriately to avoid forcing your end-users to understand the support relationship.
Finally, federation trust is between the organizations that participate in InCommon; technology provides only a platform upon which that trust can be layered. The following are non-technical actions your organization should take.
- Adhere to the requirements of InCommon's Baseline Expectations, including the publication contact information in federation metadata.
- Implement and maintain a documented process for incident response that acknowledges the roles of your partners.
- Certify for the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi). This will likely be required soon, as part of Baseline Expectations 2.
See the Sharing the Burden section of the Cloud Services Cookbook for more information.