InCommon Registration Checklist for Service Providers

To register as a service provider (SP) under Harvard's InCommon membership, please gather the information listed below and email it to

Items marked with an asterisk* are required. Please note that while your privacy policy or other existing resources may already address the questions below, we need your responses to each question in order to fulfill InCommon template requirements. To help you answer some of the questions below, you may wish to see how other Harvard SPs have provided answers to questions in the InCommon POP.

For questions, please contact

  1. EntityID* (example:
    For reference, see this guide to choosing an appropriate EntityID.

  2. User interface elements:
    1. SP display name*
    2. SP description
    3. SP information URL
    4. SP privacy statement URL*
    5. SP logo URL (HTTPS)
    6. Width and height of SP logo

  3. Requested attributes (list all requested, with a business rationale for each). You may choose from the attributes below.
    For reference, see this list of standard InCommon identity attributes.
    • cn (commonName)
    • displayName
    • eduPersonAffiliation
    • eduPersonEntitlement
    • eduPersonPrincipalName
    • eduPersonScopedAffiliation
    • eduPersonTargetedID
    • givenName
    • mail
    • o (organizationName)
    • sn (surname)

  4. Discovery response indexes and corresponding location URLs.

  5. Assertion consumer service types/profiles* (available choices are below) and corresponding location URLs*.
    • SAML 2.0 HTTP-POST
      Example: https://<domain name>/Shibboleth.sso/SAML2/POST
    • SAML 2.0 HTTP-POST-SimpleSign
      Example: https://<domain name>/Shibboleth.sso/SAML2/POST-SimpleSign
    • SAML 2.0 HTTP-Artifact
      Example: https://<domain name>/Shibboleth.sso/SAML2/Artifact
    • SAML 2.0 PAOS
      Example: https://<domain name>/Shibboleth.sso/SAML2/ECP
    • SAML 1.1 Browser/Post
      Example: https://<domain name>/Shibboleth.sso/SAML1/POST
    • SAML 1.1 Browser/Artifact
      Example: https://<domain name>/Shibboleth.sso/SAML1/Artifact

  6. Single logout service profile/binding types (available choices are below) and corresponding location URLs. Please note that this is optional, and SP owners should carefully review InCommon's materials on single logout.
    For reference, please see this InCommon guide to SP endpoints.
    • SAML 2.0 HTTP-POST
    • SAML 2.0 HTTP-Redirect
    • SAML 2.0 SOAP

  7. Contents of digital certificate, in .pem format*.
    For reference, please see this InCommon guide to X.509 certificates in metadata.

  8. Contact names and email addresses for the roles below — additionally, please supply title, phone, and fax for the individual or team whom you wish to designate as a primary contact for your SP.
    Note that, if appropriate, one individual or team may fill multiple roles.
    1. Technical*
    2. Administrative*
    3. Support*
    4. Security*
  9. What attribute information about an individual do you require in order to manage access to resources you make available to other InCommon participants?*

  10. What use do you make of attribute information that you receive in addition to basic access control decisions?*
    For example, do you aggregate session access records or records of specific information accessed based on attribute information, or make attribute information available to partner organizations, etc.?

  11. What human and technical controls are in place on access to and use of attribute information that might refer to only one specific person (i.e., personally identifiable information)?*
    For example, is this information encrypted?

  12. Please describe the human and technical controls that are in place on the management of super-user and other privileged accounts that might have the authority to grant access to personally identifiable information.*

  13. If personally identifiable information is compromised, what actions do you take to notify potentially affected individuals?*