Assurance certification: Accountable Users

This webpage defines an assurance certification "Accountable Users". Organizations which self-assert that they offer user accountability can request to have this assurance certification attribute added to their IdP.

The assurance certification URI is

https://ukfederation.org.uk/assurance/accountable-users

Rules applying to End User Organisations that offer user accountability

The text below is taken from [[https://www.ukfederation.org.uk/library/uploads/Documents/rules-of-membership.pdf | Section 6 of the UK federation Rules of Membership, Version 2.5, January 2022]. If there is a discrepancy between the text and the Rules of Membership, the Rules of Membership that is currently in force is the definitive document.

6.1. Where End User Organisations have the technical and organisational means to match use of services provided by Service Providers to individual End Users, then the End User Organisation may either upon enrolment or at any time thereafter, declare this to the Federation Operator which will then publish this declaration in the Metadata. Once the End User Organisation has made this declaration, it must comply with the provisions of this Section 6 in respect of those Systems and End Users covered by the declaration. The End User Organisation acknowledges that where it is unable or unwilling to make this declaration this may affect access for End Users to Service Providers’ services or resources. [note 3]

6.2. The End User Organisation must have a documented process for issuing credentials that may give access to Service Providers’ services or resources. This documentation must be made available on request to Service Providers to whom the End User Organisation is, or is planning to, provide access management information.

6.3. The End User Organisation must use reasonable endeavours to provide those End Users in respect of whom the End User Organisation provides Attributes with appropriate information on how to use their credentials safely and securely.

6.4. The End User Organisation must ensure that accurate information is provided about such End Users. In particular:

6.4.1. credentials of End Users who are no longer members of the organisation must be revoked promptly, or at least no Attributes must be asserted for such End Users to the Federation;

6.4.2. where unique persistent Attributes (e.g. eduPersonTargetedID or eduPersonPrincipalName) are associated with an End User, the End User Organisation must ensure that these Attribute values are not re-issued to another End User for at least 24 months after the last possible use by the previous End User;

6.4.3. where an End User’s status, or any other information described by Attributes, changes, the relevant Attributes must be also changed as soon as possible.

6.5. The End User Organisation must ensure that sufficient logging information is retained to be able to associate a particular End User with a given session that it has authenticated. This information must be kept for a minimum of three months to enable misuse to be investigated but no longer than six months or such other period agreed with the Service Provider, subject always to the principles of the Data Protection Act 2018.

6.6. The End User Organisation will be responsible for the acts or omissions of any End User they authenticate and they must ensure that complaints about those End Users are dealt with promptly and effectively.

6.7. When using services or resources provided by Service Providers, the End User Organisation must ensure that End Users abide by the licences or other agreements in relation to those services or resources, as well as rules and policies set by their own organisation, by any Identity Provider that makes statements about them (if different from the End User’s own organisation), and by the network(s) they use to access those services or resources. If an End User is subject to conflicting policies then the more restrictive policy will apply

Note 3: This optional section contains a number of rules relating to the ability to distinguish individual End Users, either to store their preferences from one session to the next, or to hold them accountable for any misuse of a resource. The requirements of the section are similar to those contained in the Jisc model licences and the Jisc Collections Terms and Conditions. It is expected that many Service Providers will find it useful or essential for Identity Providers to satisfy these requirements: for example rule 6.4.2 – that if persistent identifiers (such as usernames) are reused there must be at least a two year gap between different users having the same identifier – allows service providers to manage their own systems to prevent information stored by one user being disclosed to another.

Identity Provider entities indicated by their owners as satisfying all this section’s rules are marked by a label in the Federation metadata. A member may use different identity provider entities if it wishes to assert accountability for some users, but not all. [referenced from section 6.1]