...
Requirements from Research and Scholarship SPs on an IdP of Last Resort
- The IdP must support the R&S entity category and be tagged as such (Note: Requirements 2, 3 and 4 are implied by the terms of R&S).
- Ability It must have the ability to Assign/Assert ePPNs.
- Ability It must have the ability to Assign/Assert ePTIDs or provide a SAML2 persistent NameID if ePPNs are re-assignable.
- Accepts It must accept SP requests for authentication contexts via the standard SAML2 Authentication Request Protocol.
- This is for their InCommon Bronze, as well as Silver and MFA, if supported.
- Support for It must support SAML Enhanced Client or Proxy (ECP).Support for
- It must support user self-registrationUser registration incorporated into sign-in flow, so new user is not stranded at IdP
- User registers once for sign-in to multiple Research and Scholarship (R&S)-tagged SPs (i.e., user identity is not SP-specific)
- Once user has authenticated at the IdP, user is not prompted for password again when visiting other SPs during the same browser session, unless required by the SP
- in a manner that lets the user know what, if any, further steps are required before they can authenticate to the SP they were initially trying to access.
- User sessions at the IdP should have a reasonable default duration, allowing multiple SPs to leverage the same user session when that is appropriate to the context.
- The IdP operator must Must address the service longevity issue (even if for now the response is "TBD").
- It must support Recommended Support for Recommended Technical Basics for IdPs (as of May 2015, with future development of the recommendations accommodated as possible, and in negotiation with InCommon).
- It must conform Conforms to the 'Interoperable SAML 2.0 Web Browser SSO Deployment
Profile' as documented at at http://saml2int.org - Self-assertion of InCommon Bronze compliance
- (as of May 2015, with future development of the recommendations accommodated as possible, and in negotiation with InCommon).
- It must be certified for InCommon Bronze.
- The IdP must have no No commercial interest in the use of user data.
- The IdP must be available globally should, by design, be a service available to any R&S tagged SP
- NOTE: This can only be achieved at the federation level, not unilaterally by an IdP
- There must be no charges to the user for use of the IdPoLR service.
- The IdPoLR service shall employ techniques to minimize system failures and ensure that any failures are not likely to result in inaccurate Assertions being sent to SPs.
The following criteria are highly desirable, but not required.
- Publishes aggregate usage statistics to give feedback to campus IT on use by their constituency (i.e., motivate campus to participate in R&S so the campus users don't need the IdPoLR anymore)
- Support for user consent
- Support for Silver credentials and authN (to be combined with local identity vetting to achieve Silver LoA
- Low/no cost to SPs for use
- No cost for users
- Accepts non-ASCII characters (e.g. uses UTF-8 as the default encoding) in user-entered data
- Support for some form of multi-factor authentication that is low/no cost for users
...