Session Abstract

As the federations grow and get interconnected, a Service Provider has end users coming potentially from thousands of Identity Providers in several countries. For an Identity Provider administrator, this imposes a difficult requirement of being able to assess the Service Provider abroad and decide whether to release attributes to it. Scalability becomes an issue, if the Identity Provider administrator needs to evaluate the Service Providers one-by-one.

A major reason for Identity Providers' reluctance to release attributes are the privacy laws. The Identity Provider hesitates to take any legal risks when it releases user attributes to the SP without knowledge of the SP's specific practices. On the other hand, collaborations are often very spontaneous and the users are not willing to wait. Researchers collaborate and use shared research tools and datasets in an international community.

eduGAIN, the European project for interconnecting the academic identity federations, has studied ways to satisfy the European data protection directive in attribute release. REFEDS, the global organisation for academic identity federations, has established a workgroup to facilitate easy sharing of user. In 2011, the two workgroups joined their forces to establish common Code of Conduct for privacy issues in an (inter)federation. The proposed session presents the approach adopted in the Code of Conduct.