IdP Operational Requirements
Purpose of this document
This document defines identity management and system operation requirements and recommendations for Identity Providers joining the HREF Federation.
Throughout this document the interpretation of terms MUST, MUST NOT, SHOULD, SHOULD NOT are defined as:
- MUST (or SHALL, REQUIRED): the definition is an absolute requirement of the specification in order to build and keep trust in the federation.
- MUST NOT: the definition is an absolute prohibition of the specification
- SHOULD (or RECOMMENDED): there may be valid reasons for ignoring the definition, however, the divergence from the specification MUST be documented
- SHOULD NOT (or NOT RECOMMENDED): there may be valid reasons for the particular behaviour to be acceptable, however, the divergence from the specification MUST be documented
- The organisation MUST define the sources, the maintenance procedures and approximate quality of the data about its users, and supply this documentation to the Federation.
- Uniqueness of the usernames MUST be guaranteed.
- One individual SHOULD NOT have more than one user accounts.
- Role accounts (such as 'director', 'secretary') SHOULD NOT be used.
- Use of attributes:
- Attribute implementations MUST follow the Attribute Specification.
- The Identity Provider MUST implement the following attributes:
- The Identity Provider SHOULD implement the following attributes:
- The IdP MUST ensure that eduPersonTargetedID and eduPersonPrincipalName are not re-assignable.
- Limitation of test accounts:
- all test accounts MUST be identified and documented along with the individual who is responsible for the test account
- real transactions MUST NOT be initiated by test accounts
- test accounts SHOULD be distinguished with appropriate homeOrganizationType value.
- User credentials (i.e. passwords) MUST NOT be transmitted over public network in unencrypted form.
- If initial user passwords are distributed, it SHOULD be done through non-electronic form
- Changes in the users' affiliation to the institution MUST be populated to the IdP database within 7 days
- If the authoritative source of user information is an external database (i.e. student information system), then the above timeframe starts from the time of the change in the primary system.
- Students may use 'alum' affiliation after leaving the organisation. Values 'student' or 'member' MUST NOT be used afterwards.
- For faculty members and employees, affiliation values 'staff', 'employee', 'faculty' and 'member' MUST be revoked.
- The organisation MUST develop a role responsible for liaison with the Federation Operator.
- The organisation operating the Identity Provider MUST provide end-user support for its affiliated users and have them informed about the availability of the support.
- The organisation MUST provide the following data to the Federation Operator as anonymous daily statistics about the Identity Provider usage:
- number of unique users;
- number of transactions initiated to each federation service;
- total number of logins.
- Any transaction including personal data MUST be logged and log files SHALL be kept for at least 30 days.
- The log files above MUST be treated in accordance with the applicable data protection laws.
- Cryptographic keys of the Identity Provider MUST be at least 2048 bits long.
- Private keys MUST be protected.
- In case of a key compromise, the Federation Operator MUST be notified within 24 hours.
- Use of self-signed certificates with a long expiration time is RECOMMENDED.
- Use of SAML:
- The Identity Provider MUST comply with the Interoperable SAML 2.0 Web Browser SSO Deployment Profile (http://saml2int.org)
- It is RECOMMENDED to support SAML2 Web Browser SSO Profile over HTTP Artifact Binding.
- It is RECOMMENDED to support SAML2 Single Logout Profile over HTTP Redirect and SOAP Bindings.
- All SAML endpoints of the Identity Provider SHALL be protected by HTTPS.
- All SAML endpoints of the Identity Provider MUST be under a DNS domain which is possessed by the operating organisation.
- All scopes used by the Identity Provider MUST be under a DNS domain which is possessed by the operating organisation.