Privacy Policy for UK federation Test SPs

This Privacy Policy applies to the UK federation Test SP (entityID https://test.ukfederation.org.uk/entity) and the UK federation "Research and Scholarship" Test SP (entityID https://test.ukfederation.org.uk/entity/research-and-scholarship). The SPs are designed for testing attribute release from IdPs. They allow IdP operators to self-test their IdP's attribute release in order to discuss those results with UK federation staff, particularly if results before and after an IdP system modification differ

Neither of these use cases require long-term retention of personal data. Consequently, our maximum data retention period is 3 months. We acknowledge that we may have arbitrary personal data because:

  • the SPs' metadata includes a wide range of RequestedAttribute elements
  • the SPs are intended to test IdPs' attribute release, so there is the potential that IdPs may be misconfigured and release more attributes than intended
  • we also retain webserver logfiles which include IP addresses

Therefore, we aim for a high standard for protection of data:

  • TLS protection of attributes: The Test SPs reach A+ standard on SSL Labs (tested on 2021-03-16).
  • XML encryption of attributes: The Test SPs' metadata includes algorithm agility metadata so that IdPs can choose the strongest encryption algorithm that they support. We can decrypt using AES256-GCM, although AES128-GCM is preferred (see the registered metadata for a complete list).
  • Data is stored on servers located in the UK and European Union with access restricted to Jisc staff

Data is not disclosed or shared with third parties.

If you wish to access, rectify or delete personal data, please contact the UK federation Helpdesk, service@ukfederation.org.uk.