Connecting a Shibboleth Service Provider
As the operator of a data-receiving system, you are obliged by the GDPR to create a register of processing activities. Based on this document, an attribute release is created for your service provider.
Record of Processing Activities of the Controller Pursuant to Art. 30(1) GDPR
If you intend to operate a service provider, you are required, as the controller of that service provider, to prepare various data protection documents for your system. In any case, you must be able to provide a Record of Processing Activities of the Controller pursuant to Art. 30(1) GDPR. For advice on whether additional documentation may be required and, if so, which documents are necessary, please contact the Data Protection Staff Unit of the RWTH.
Instructions for completing the directory:
From an identity management perspective, the following information is particularly important. For all other fields, you are welcome to contact the data protection office for advice.
- Please enter the entity ID of the service provider when naming the processing activity.
- The person responsible for the system must be listed under "Angaben zur verantwortlichen Einrichtung/Organisationseinheit". "Angaben zum ggf. gemeinsam mit diesem Verantwortlichen" is not applicable if the responsibility for the system lies with an organizational unit.
- Enter the attributes you consider necessary with the corresponding designations and also the data you have collected in your service in the "Description of the categories of personal data" field in the document. Please use the attribute description from the "Technical description" column in our documentation "Explanation of attributes".
Example for the documentation of requested Shibboleth attributes:
In the RWTH Intranet you will find a selection of possible processing activities in organizations.
Signature: The VVT must be signed by the head of the responsible facility.
Read more:
