The Data protection Code of Conduct (CoCo) enables safe attribute release between Identity and Service Providers within EU.
The following steps explain how to support the Code Of Conduct for a Service Provider.
- Read and understand the GEANT Data protection Code of Conduct for SPs:
- GÉANT Data Protection Code of Conduct for Service Providers
- For a more complete presentation of the Code of Conduct, please have a look at TNC2013 Code of Conduct Presentation or the memorandum prepared for Article 29 working party
- SP’s jurisdiction:
- Is the SP established in EU/EEA, or in a country/jurisdiction with adequate data protection (the EC white-list)?
- The GEANT Data protection Code of Conduct for SPs in EU/EEA is only applicable for those SPs
- Find out if the organization that is responsible for the SP feels comfortable to commit to the GEANT data protection Code of Conduct for SPs:
- As an SP administrator, you may need to ask someone above you in your organization
- Remember: In many cases there is nothing to worry about because in EU/EEA countries, many of the CoCo requirements are already mandated by the data protection laws
- Develop a list of attributes that are necessary for enabling access to the service:
- Provide a name and description for the service:
- There must be at least an English name and description
- Choose names that are meaningful for the end user who might not be familiar yet with the service
- Good example:
- Name: University of Tübingen's Weblicht tool for linguistics research
- Description: WebLicht is a chaining tool for linguistics research. It provides an execution environment for automatic annotation of text corpora.
- Bad example:
- Name: Finna
- Description: Public Interface Finna.
- Develop and publish a Privacy policy document:
- It must contain a link to the GÉANT Data Protection Code of Conduct: http://www.geant.net/uri/dataprotection-code-of-conduct/v1
- There must be at least an English version available:
- It is recommended to write the document using this template: Privacy Policy Guidelines for Service Providers
- Ensure that the Service Provider is registered in your federation/eduGAIN with the following SAML2 metadata elements:
- Entity Category attribute for the Code of Conduct
- mdui:PrivacyStatementURL
- list of md:RequestedAttributes
- mdui:Displayname (recommended)
- mdui:Description (recommended)
- For details of these elements, see SAML 2.0 profile for the Code of Conduct
- How these elements are registered depends on your local federation
- Find below an example of how the metadata looks like for a Service Provider that supports the GEANT Code Of Conduct.
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://filesender.example.org/">
<Extensions>
<EntityAttributes xmlns="urn:oasis:names:tc:SAML:metadata:attribute">
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Name="http://macedir.org/entity-category"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<AttributeValue>http://www.geant.net/uri/dataprotection-code-of-conduct/v1</AttributeValue>
</Attribute>
</EntityAttributes>
</Extensions>
<SPSSODescriptor>
<Extensions>
<UIInfo xmlns="urn:oasis:names:tc:SAML:metadata:ui">
<!-- At minimum an English display name and a description -->
<DisplayName xml:lang="fi">FileSender</DisplayName>
<DisplayName xml:lang="en">FileSender</DisplayName>
<Description xml:lang="fi">FileSender tarjoaa helpon tavan jakaa suuria tiedostoja.</Description>
<Description xml:lang="en">FileSender offers an easy way to share large files with anyone.</Description>
<!-- This URL must contain a privacy statement that must include a link to the GEANT Code of Conduct (http://www.geant.net/uri/dataprotection-code-of-conduct/v1) -->
<PrivacyStatementURL xml:lang="fi">https://filesender.example.org/privacy-fi.html</PrivacyStatementURL>
<PrivacyStatementURL xml:lang="en">https://filesender.example.org/privacy-en.html</PrivacyStatementURL>
</UIInfo>
</Extensions>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://filesender.example.org/saml/acs" index="1"/>
<AttributeConsumingService>
<RequestedAttribute
FriendlyName="displayName"
Name="urn:oid:2.16.840.1.113730.3.1.241"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"/>
<RequestedAttribute
FriendlyName="eduPersonPrincipalName"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"/>
<RequestedAttribute
FriendlyName="mail"
Name="urn:oid:0.9.2342.19200300.100.1.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"/>
</AttributeConsumingService>
</SPSSODescriptor>
</EntityDescriptor>