1. Does some sort of document need to be signed by the end-user about what attributes will be released to a Service Provider, or would our Policy document be sufficient?
• Related to clause 8.4 of the AAF Rules for Participants

A paragraph in your Policy document will be sufficient. Normally universities have a number of policies and conditions of use that students and staff agree to as a condition of enrollment/employment. In addition, the AAF is making every effort to provide tools that allow users to know and have some control over the attributes that are released about them to Service Providers.

2. What period is specified by the Federation for the retention of logs by an Identity Provider?
• Related to clause 8.8 of the AAF Rules for Participants

Logs should be retained by an Identity Provider for 24 Months.

3. In what circumstance would an end-user need to transfer their auEduPersonSharedToken to another Identity Provider?
• Related to clause 8.10 of the AAF Rules for Participants

The most common example is when a research staff member leaves one university and another but still needs to (and is authorised to) access data, computing grids, instruments, or services they used previously. The auEduPersonSharedToken is the unique, persistent identifier that tells these services it’s the same person as before. It’s also possible for one person to be working at more then one university at the same time and to use the same auEduPersonSharedToken at both. The request would need to be initiated by the user, as they would be the only one to know they had joined a new university. It would involve an administrative verification process between the two universities which could simply be paper based.