Extended eduID Service Definition

Extended information regarding the eduID service in regards to the Kantara identity framework:

Privacy, Identity Proofing & Verification, Renewal/Re-issuance, and Revocation and Termination Policies;

See the eduID general service description, privacy policy, SWAMID AL2 processes and the SWAMID 2.0 policy

For credential Revocation:

To permanently revoke an eduID credential the end user presses a button on the eduID dashboard.

The country in or legal jurisdiction under which the service is operated and under which Subscribers and relying parties enter into agreements with:

Sweden

Applicable legislation with which the eduID service complies:

Swedish law

Obligations incumbent upon the CSP:

The eduID service follows Swedish legislation and the Kantara IAF (Identity Assurance Framework).

Obligations incumbent upon each class of user of the service, e.g. Relying Parties, Subscribers and Subjects;

Subject and subscriber adhere to the eduID terms of use for the service.

Notifications and guidance for relying parties, especially in respect of actions they are expected to take should they choose to rely upon the service;

The SWAMID wiki, eduID privacy policy and help pages gives guidance to the eduID relying parties and users.

Statement of liabilities toward Subscribers, Subjects and Relying Parties;

See liability section in SWAMID policy 2.0

Procedures for notification of changes to terms and conditions;

Users get a notification when using the eduID service and the terms and conditions have changes. Users will also have to accept the new terms and conditions to be able to continue using the service.

Steps the CSP will take in the event that it chooses or is obliged to terminate the service;

In the event of the eduID service being terminated all eduID users will be notified of the consequences of this decision and the actions that will be taken by Sunet in such an event.

Availability of the specified service per se and of its help desk facility.

See the eduID general service description for information about availability of the eduID service desk facility.

AL2 Assertion Attributes

eduID AL2 identity assertions are guaranteed to be associated with an identity verified according to Kantara IAF requirements. eduID maintains a record of the user identity and the proofing method used to verify the identity.

The following attributes are asserted and vouched for by eduID:

  • eduPersonPrincipalName (the unique ID and electronic identity)
  • Swedish Personal Identity Number  (for Relying Parties who have applied for, and been given authorization to, access the Swedish Personal Identity Numbers)

The attributes Given Name, Surname and Display Name are provided by the Subscriber and are not verified by eduID.

eduID information security management system

The eduID service follows VR and SUNET's information security practices.

Information Security Management

All other security-relevant administrative, management, and technical policies and procedures are documented or referenced in the eduID policy document (not a publicly available document) under the Information Security Management section.