The GÉANT Data Protection Code of Conduct for Service Providers

SP operators can signal to IdP operators that they follow good practice in data protection by asserting that they follow the GÉANT Data Protection Code of Conduct.

Please Note: this entity category is self-asserted by the SP. The UK federation does not verify that a SP complies with the Code of Conduct. For SPs registered by the UK federation, we verify only that the entity category has been asserted correctly. For SPs registered outside the UK federation that assert the entity category, we import the entity category as-is.

Prerequisites

SP operators should be familiar with the GÉANT Data Protection Code of Conduct for Service Providers and Code of Conduct SAML 2 profile before contacting the helpdesk.

Full documentation on this entity category can be found at the GÉANT Data Protection Code of Conduct Home.

How do I request that my SP shows it follows the Code of Conduct?

What must be in the request?

  • The request MUST include an entityID for a registered SP (or be part of a registration request).
  • The request MUST be emailed to us by an appropriate person. In the case of an existing entity, this would be the administrative contact for the entity or Management Contact for the organization. New registration requests must always come from an organization's Management Contact. (A description of the various roles is available here.)
  • The request MUST include a mdui:PrivacyStatementURL value with xml:lang="en". There may be more than one mdui:PrivacyStatementURL. Each one must have a unique xml:lang attribute, although they could conceivably all have the same URL if the document has sections for the different languages.
    <mdui:PrivacyStatementURL xml:lang="fi">https://filesender.funet.fi/privacypolicy.html</mdui:PrivacyStatementURL>
    <mdui:PrivacyStatementURL xml:lang="en">https://filesender.funet.fi/privacypolicy.html</mdui:PrivacyStatementURL>
  • The mdui:PrivacyStatementURL with xml:lang="en" MUST resolve to a document.
  • The Privacy Statement MUST include the name, address and jurisdiction of the Service Provider.
  • The Privacy Statement MUST indicate a commitment to the Code of Conduct.
  • The SP's metadata MUST include RequestedAttribute elements to indicate the attributes that the SP will request. Please note that the core attributes for the UK federation are defined in the eduPerson schema (see section 7 of the UK federation Technical Recommendations for Participants) whilst other federations may use attributes from other schemas e.g. SCHAC. Information on the form of the RequestedAttribute information can be seen on the Shibboleth wiki, or contact the UK federation service desk for more information. Note that the simple semantics of the isRequired flag cannot fully capture the complexities of attribute requests in SAML, so we recommend you contact the service desk for advice in this regard.

What's recommended to be in the request?

  • The SP's metadata should include at least one mdui:DisplayName. If it does, there MUST be one mdui:DisplayName with xml:lang="en"
  • The SP's metadata should include at least one mdui:Description. If it does, there MUST be one mdui:Description with xml:lang="en"

What happens next?

The UK federation support team will review your request. When we have ensured that all is in order, we will update the SP's registration and publish updated metadata.

Other information

This Code of Conduct monitoring tool checks whether SPs asserting the Code of Conduct do so correctly, in the sense that they include all the required elements of metadata. Instructions for the tool are here.