The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

FederationPolicyTemplate

Owned by Scott Cantor
Last updated: Dec 22, 2006Version comment
2 min read

Federation Policy Template

This template is intended to provide a basis for your own federation policy for federations operated at low levels of trust only, and is meant only to provide basic guidance as to subjects to discuss. There is no discussion of liability, indemnification, or other sticky subjects. Legal advice should always be consulted when valuable data is at risk.

-------

FederationName Policies

This set of policies serves as guidelines both for FederationName and for identity providers and service providers participating in it. All identity providers and service providers are urged to carefully consider the limitations of this trust framework before releasing user information or making resources available via the Federation. The Federation can provide no assurance that any of its providers were properly identified or that information sent by any provider is accurate. The decision whether to trust a relying party always rests on the provider itself, and the Federation provides only guidance.

Participation

FederationName is a low-level of assurance federation, and provides only limited identity checking of providers. In joining FederationName, a provider will make a good faith effort to maintain a policies statement describing their use of Shibboleth. The Federation will also make reasonable attempts to ensure that providers represent themselves properly and accurately.

Data Management

By participating, identity providers agree that all attributes sent to service providers in the Federation to the best of their knowledge accurately represent information about the authenticated individual accessing the service provider resource.

Service providers agree to dispose of all received attributes properly by not mis-using them, aggregating them, or sharing them with other organizations.

The Federation will keep the metadata and associated signing key well secured.

Security Management

FederationName is responsible for including certificate information that allows providers to authenticate one another. This may be done using a set of root certificates for issuers from which server certificates may be obtained, or by imbedding certificates supplied by providers directly in FederationName metadata. FederationName makes no further effort to validate these certificates itself or ensure that corresponding private keys are well protected.

The list of certificate authorities recognized by FederationName is:

  • Your CA's Here

Attributes

The FederationName Federation specifies a set of attribute definitions to support basic attribute-based authorization.

Attribute assertions issued or received by FederationName members including eduPerson attributes should conform to the syntax and semantics defined by the eduPerson 200604 specification.

  • urn:mace:dir:attribute-def:eduPersonEntitlement
  • urn:mace:dir:attribute-def:eduPersonPrincipalName
  • urn:mace:dir:attribute-def:eduPersonScopedAffiliation

If a Federation member sends or receives an Attribute Assertion containing the FederationName policy URI and referencing one of the listed attributes, the syntax and semantics of the associated attribute value should conform to the definitions specified in the relevant IETF RFCs.

  • urn:mace:dir:attribute-def:cn
  • urn:mace:dir:attribute-def:sn
  • urn:mace:dir:attribute-def:telephoneNumber
  • urn:mace:dir:attribute-def:title
  • urn:mace:dir:attribute-def:initials
  • urn:mace:dir:attribute-def:description
  • urn:mace:dir:attribute-def:carLicense
  • urn:mace:dir:attribute-def:departmentNumber
  • urn:mace:dir:attribute-def:displayName
  • urn:mace:dir:attribute-def:employeeNumber
  • urn:mace:dir:attribute-def:employeeType
  • urn:mace:dir:attribute-def:preferredLanguage
  • urn:mace:dir:attribute-def:manager
  • urn:mace:dir:attribute-def:roomNumber
  • urn:mace:dir:attribute-def:seeAlso
  • urn:mace:dir:attribute-def:facsimileTelephoneNumber
  • urn:mace:dir:attribute-def:street
  • urn:mace:dir:attribute-def:postOfficeBox
  • urn:mace:dir:attribute-def:postalCode
  • urn:mace:dir:attribute-def:st
  • urn:mace:dir:attribute-def:givenName
  • urn:mace:dir:attribute-def:l
  • urn:mace:dir:attribute-def:businessCategory
  • urn:mace:dir:attribute-def:ou
  • urn:mace:dir:attribute-def:physicalDeliveryOfficeName

If a Federation member sends or receives an eduPersonEntitlement attribute in a SAML assertion containing the FederationName policy uri and containing one of the listed values, the syntax and semantics of the associated attribute value should conform to these definitions:

  • urn:mace:incommon:entitlement:common:1 - The person possesses an eduPersonAffiliation value of faculty, staff, or student, or qualifies as a "library walk-in".

Your Attributes Here

%COMMENT%