...

Besides the formal requirements and recommendations of REFEDS R&S it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

GÉANT/REFEDS Dataprotection Code of Conduct

...

• Well functional SAML2 metadata for the service with an entityid in URL-form.
• Display name for the Service in English and preferable also in Swedish and English for use in Identity Providers' login pages and Discovery Services.
• Short description of the Service in Swedish and English English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
• Required attributes of the Service
• Mail address to the technical and/or support contact for the service.
• Organisation name of the organisation delivering the service
• URL to the organisation delivering the service.
• URL to an informational web page that describes the service in English and preferable also in Swedish.
• URL to a publicly accessible web page (not a pdf document) with the service privacy policy in English and maybe preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. The privacy policy must at least contain:
  
  • the name, address and jurisdiction of the Service Provider;
  • the purpose or purposes of the processing of the Attributes;
  • a description of the Attributes being processed;
  • the third party recipients or categories of third party recipient to whom he Attributes might be disclosed, and proposed transfers of Attributes to countries outside of the European Economic Area;
  • the existence of the rights to access, rectify and delete the Attributes held about the End User;
  • the retention period of the Attributes; and
  • a reference to this Code of Conduct including the formal reference URL http://www.geant.net/uri/dataprotection-code-of-conduct/v1.

...