General description of SAML2 WebSSO
The service contains authentication of users issued with an electronic SMHI identity, and transfer of attributes concerning the authenticated user. The service provider is a member of SWAMID, the Swedish identity federation for research and higher education. The service is configured following policies, regulations and other rules defined by SWAMID.
About the service and it’s limitations
SMHI guarantees a level of service and availability according to SMHI’s needs and expectations. The process for issuing, terminating and maintaining electronic SMHI identities is documented in SMHI’s Identity Management Practice Statement. SMHI follows SWAMID’s recommendations for sharing of attributes based on entity categories.
SMHI reserves the right to change actual issued attributes in communication with a service provider, regardless of what is recommended by SWAMID concering the entity categori the service provider is placed in.
Use of SMHI’s computer network is intended to facilitate regular work. Other uses may be permitted provided that it not interferes with regular work or harms SMHI in any way. For employees and other professionals, the line manager is responsible for assessment of permitted use.
- All uses of user accounts and computer networks should follow Swedish law and regulations.
- User accounts, passwords and codes are personal and may only be used by the owner.
- Users should change password without delay on any suspicion or knowledge that anyone other than the owner has gained access to password and/or codes.
- Users should report to SMHI Servicedesk without delay on any suspicion that third party has gained access to password and/or codes, and has had the opportunity to abuse these.
- Users should follow guidelines for the IT services that user accounts provide access to (both within and outside the organization), thereby actively contributing to maintaining a correct level of security.
- Computers, mobile devices and other network-enabled equipment which are connected to SMHI’s computer network should have relevant protection, such as antivirus software, latest system updates and firewall.
- regulate any other permitted use.
Anyone who breaks, or is suspected to break, the rules above may be suspended from above-mentioned network awaiting investigation. Also, disciplinary and/or legal measures may be taken.
The service follows SMHIs guidelines for management of personal data, in accordance with Swedish legislation.
Handling of personal data within the limits of the Identity Provider (IdP) as established by SMHI
The Identity Provider performs authentication on order of a service known by SMHI, either by metadata delivered via the SWAMID federation or by special agreement between the service and SMHI.
Depending on the type of service, purpose of the service, and relation between the service and SMHI’s IdP, one or more personal data attributes are delivered to the service by SMHI’s directory- and authorization system. This procedure follows the intentions of the Swedish data protection regulation.
All web services get access to a unique identifier which enables the user to perform settings on login and use the same settings on next session. The unique identifier is unique to this particular service and cannot be used in other web services.
Services categorized with entity categories in SWAMID’s metadata receive attributes following SWAMID recommendations.
Services with the primary purpose is to support research and education get access to personal data similar to what is sent automatically in everry e-mail, such as name, e-mail address, user id, if user is a student or a professional (employed or other), and that the user is registered with SMHI.
Registered services following the EU General Data Protection Regulation via the GÉANT Data Protection Code of Conduct will get access to the same information.