PEANO Federation

Policy

1. Disclaimer

Association of users of Ukrainian Research and Academic Network URAN (hereinafter referred to as URAN Association) can not accept any liability for any loss or damage resulting from the use of the material contained herein. The information is believed to be correct but no liability can be accepted for any inaccuracies.

2. General provisions

PEANO Federation for Certifying Electronic Accounts (Identity Federation) for Science and Education (hereinafter referred to as PEANO Federation) is a consortium of organizations (legal entities) founded by URAN Association without the formation of a separate legal entity. The main goal of PEANO Federation is facilitation of access to distributed electronic resources for the members of the Federation.

The Federation consists of the following three (3) categories of entities:

1. Identity Providers: are entities (e.g. academic foundations, research institutes etc.) that authenticate their users and certify the identity of them. Additionally, they may send limited users’ data to service providers.
2. Service Providers: are entities that provide services to the users of academic, research and educational community. They may receive individual user data from Identity Providers, with their permission, for user authorisation and to provide personalised services.
3. Federation Coordinator: an entity that manages the processes of integration and withdrawal of members from the Federation and coordinates the cooperation between them, monitors the compliance of members with the Federation’s Policy, maintains the necessary infrastructure for the operation of the Federation and promotes the development of services for academic, research and educational community. URAN Assocoation is defined as the Coordinator of PEANO Federation.

Through PEANO Authentication and Authorisation Infrastructure (PEANO Infrastructure), users of the Federation can receive services in a secure and confidential manner, by using only their institutional account. For access to the Service Providers, the end user does not need to remember additional or specific user names or passwords anymore. As long as he/she is a user of an affiliated organization - Identity Provider, he/she may apply via the federative connection and use services on the basis of his/her status within the home organization.

The PEANO Federation is participating in eduGAIN (Education and Global Authentication Infrastructure), the GÉANT inter-federation service that interconnects identity federations around the world, simplifying access to content, services and resources for the global research and education community. As eduGAIN participant, the PEANO Federation hereby declares that it will comply with the eduGAIN Policy Framework (see eduGAIN Policy Declaration, .pdf, 911 k).

3. Requirements for participation in the Federation

Identity Providers and Service Providers are able to join or leave the Federation by applying to the Coordinator. Participation to the Federation requires the agreement with this Policy and compliance with the terms and conditions presented herein that arise from it.

In the Federation only URAN Association and its members can participate as Identity Providers. Each institution may take part with a single Identity Provider in the PEANO Infrastructure.

Any organization can participate in the Federation as a Service Provider of one or more services provided that these services promote the academic, research or educational work.

URAN Association and its members can act both as Identity and Service Providers at the same time.

In the case the Service Provider does not also participate as an Identity Provider, it is necessary for at least one Identity Provider to express to the Coordinator an interest in accessing the particular service.

The minimal technical requirements for being able to be affiliated to the PEANO Infrastructure are described in the Technical Rules of the PEANO Federation issued by the Federation Coordinator. The Coordinator reserves the right to alter the Technical Rules at any time. The alterations are published on the website of the Federation and come into effect two months after their notification via e-mail by the Coordinator.

4. Role and obligations of the Federation Coordinator

The Coordinator provides and maintains the PEANO Infrastructure which enables authentication and authorization of users and interaction between Identity Providers and Service Providers.

As provider of the federative service, the Coordinator commits to:

1. provide the PEANO Infrastructure and the federative service, as described in the Technical Rules;
2. carry out repairs and reconfiguration as quickly as possible in case of temporary breakdown of the PEANO Infrastructure or possible malfunctioning the federative service;
3. maintain the website of the Federation;
4. notify in time by e-mail all parties of adaptations to the Technical Rules and publish these on the website of the Federation;
5. inform all parties in time, in case of adaptations and upgrades of the federative service;
6. put the service provision on hold, with regard to a party which does not comply with the contractual obligations, and terminate the membership in the Federation with regard of a party, which does not comply with an essential contractual obligation.

5. Role and obligations of the Identity Provider

The Identity Provider executes the authentication of users of its institution. The Identity Provider is not only responsible for establishing a person’s identity, but also for the content of user’s personal data contained in his attributes.

The Identity Provider commits to:

1. assign an appropriate authorized person responsible for the technical operation and inform the Coordinator about him/her;
2. accept and adhere to the Technical Rules of the PEANO Federation;
3. obtain the end user’s unambiguous permission to process his/her personal data and to exchange it with service providers of the PEANO Federation;
4. keep the data of the attributes concerning the end users complete, exact and up to date;
5. allow the Coordinator to audit the automated information authentication system and procedures of entering user credentials.

6. Role and obligations of the Service Provider

The Service Provider provides services to users of the affiliated organizations. Authorization of the access to those services is performed by the Service Provider on the basis of authentication executed by the Identity Provider. Due to the federative service, it is not necessary that the service providers still store or manage the identity data, which have been forwarded by the Identity Providers.

The Service Provider commits to:

1. assign an appropriate authorized person responsible for the technical operation and inform the Coordinator about him/her;
2. accept and adhere to the Technical Rules of the PEANO Federation;
3. respect the intellectual rights and rights of third parties applicable to the services.

7. End-user support

End-user support is implemented by the Identity Provider’s service desk and not by the Service Providers or the Coordinator. For this purpose, Identity Providers must inform the Coordinator of the user support contact point (e-mail address and/or telephone number). This contact point may be announced on the website of the Federation as well as be published in any other way.

Both Identity Providers and Service Providers must keep the Coordinator informed about the technical/administrative contact points. These data are communicated to the Federation members but may not be posted on the website of the Federation.

In the case that a problem resides with a Service Provider, the Identity Providers’ administrators may contact the Service Provider directly, without the mediation or assistance of the Coordinator.

8. Protection of personal data

Members of the Federation are obliged to protect the personal data of the end users and commit themselves to execute the processing of the personal data needed for the functioning of the Federation, in compliance with the Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, 28.01.1981, Additional Protocol to the Convention 108 regarding supervisory authorities and transborder data flows, Strasbourg, 08.11.2001, Law of Ukraine On protection of personal data (Закон України Про захист персональних даних) of June 1th 2010 No 2297-VI and other current legislation.

The Identity Providers must ensure the legitimate and safe personal data transmission to the Service Providers while the Service Providers, in turn, must use and store the minimal personal data that is required for the proper functioning of their services in accordance with the currently existing legal framework.

The Coordinator assumes no responsibility for the compliance of these obligations because the Coordinator does not distribute or retain users data through the PEANO Infrastructure: the transmission of data is carried out directly from the Identity Providers to the Service Providers.

9. Abuse

In the case that the Identity or Service Provider is violating requirements of this Policy and if it is deemed that such a violation may result in a security breach and possibly in a personal data leakage, the Coordinator may temporarily suspend the provider’s access to the Federation.

In case of abuse, the affected party may request compensation by the Identity or Service Provider, which is responsible for the loss of personal data or any other possible damage. Courts of Ukraine are responsible for resolving disputes. The affected parties may notify the Coordinator about the dispute; however, his actions in relation to their participation in the PEANO Infrastructure remain at his discretion.

10. Force majeure

None of the parties will be responsible for the failure to commit to this Policy, if such failure is caused by Force Majeure. A Force Majeure is an event beyond the reasonable control of a party which makes that party’s performance impossible or so impractical as reasonably to be considered impossible and includes, but is not limited to war, riot, civil disorder, earthquake, fire, explosion, flood or other adverse weather conditions, strikes, or confiscation or any other action by governments.

11. Applicable law

The Ukrainian law applies to disputes with regard to the compliance with the provisions of this Policy.

12. Acknowledgments

This work is based on the

• BELNET R&E Federation Policy v0.1 ©2011 BELNET (Belgian national research network);
• GRNET Authentication and Authorisation Infrastructure. Policy and procedures v.1.1.0 ©2012 GRNET (Greek Research and Technology Network).

Special gratitude to Peter Schober, ACOnet (Austrian Academic Computer Network) for consultations and discussions in the preparation of this document