Using an outsourced Service Provider
In general, an organisation may outsource service provision to an external organisation without reference to the federation operator. However, in cases where the entity ID proposed for the SP entity contains a domain name which does not belong to the external organisation, the owning organisation must grant permission for this use of the domain name, which should be notified in writing to the federation operator.
Please note that:
- The purpose of this notification is to ensure that a domain name is used in an entity ID only with the express permission of the domain owner.
- The domain owner need not be a member of the UK federation for SP outsourcing (this does not apply to IdP outsourcing).
- The notification letter must be written by a staff member with sufficient seniority to act on its behalf, and in particular must have the power to sign contracts on behalf of the domain-owning organisation.
- The letter should use the domain-owning organisation's letterhead.
The notification must contain the following information:
- The name of the domain owner.
- The name of the organisation registering the entity.
- The name and email address of a contact person within the organisation registering the entity.
- The entity ID of the entity which the registering organisation proposes to use. (The registering organisation should be consulted to obtain this information).
- An explicit statement by the domain owner approving the use of the domain name in the entity ID by the external organisation.
Please see this example of the form of letter required.
Please note that similar conditions apply to the registration of identity providers, but the situation is more complex. Please refer to the federation documentation about using an outsourced identity provider.
The information you provide to us is needed for us to manage your membership of, and / or participation in, the UK Access Management federation, operated by Jisc. We’ll use it, as described in our standard privacy notice (at https://www.jisc.ac.uk/website/privacy-notice), to provide the service you’ve requested, as well as to identify problems or ways to make the service better. We’ll keep the information until we are told that you no longer wish to be a member and / or participant. This service is covered by Jisc’s ISO27001 Information Security certification.