Alistair Young wrote: > So it's the value of NameIdentifier. It's the correspondence between that and the end user. > The way I see it, the logging is a uk federation extension to the > Shibboleth profile No, really, it's not. There's an underlying assumption that the assertions you issue contain some identifier that can be used to provide accountability at a later date, but that's all. That's not a profile extension. > so it would make sense to document the procedure for > fulfilling that clause. Whether it's automatic (unlikely) or via some > documented inter-entity process, e.g. "SP admin should email value of > NameIdentifier to technical contact at IdP, who should respond with > whatever user details are required". Clause 6.5 doesn't discuss the actual procedure for pursuing errant users. It merely asks you to assert that you keep enough information that, if necessary, you would be able to hold a user accountable for their actions at a later date. The Rules only really discuss the question of enforcement in 3.5, where you agree to "give reasonable assistance". How you do that is largely between you and the other party; the Rules don't cover it. You're more likely to find such things in the contracts you hold with the service providers. > That's another Q - how much user information to release to the SP admin? > Should it be released to the SP admin or should the IdP "deal with the > situation"? Again, not discussed in the Rules but may be part of your contract with the SP. My opinion: I would expect that you'd want to have the option to deal with minor infractions internally, as handing over personal information just because the SP says they want it might well open you to legal liability yourselves. You may find that re-reading section 4 of the federation's "Recommendations for Use of Personal Data" (Logfiles) will answer some of these questions. -- Ian