Home » Identity and Access Management: CAF » Federated Identity Management » Security Incident Response Trust Framework for Federated Identity (Sirtfi)

Security Incident Response Trust Framework for Federated Identity (Sirtfi)

The Security Incident Response Trust Framework for Federated Identity (Sirtfi) aims to enable the coordination of incident response across federated organizations. This assurance framework comprises a list of assertions which an organisation can attest in order to be declared Sirtfi compliant.

Compliance Requirements

In order to be Sirtfi compliant, your organization must assert that they follow certain best practices in operational security, incident response and traceability.  Your organization must also have a published Acceptable Use Policy (AUP) and a process to ensure that all users are aware of and accept the requirement to abide by the AUP. A designated Sirtfi contact must also be identified and published in your organization’s metadata. You must also operate the latest version of Identity Provider software that is not known to have security vulnerabilities.

How comprehensively or thoroughly each asserted capability should be implemented across an organization’s information system assets is not specified. The investment in mitigating a risk should be commensurate with the degree of its potential impact and the likelihood of its occurrence, and this determination can only be made within each organization.


Sirtfi raises the bar in operational security by acting as an identifier to mark trusted partners within eduGAIN. Compliance is expressed in metadata and gives a transparent view of those organizations willing to engage in collaborative, efficient, and effective incident response.

The credibility gained by asserting Sirtfi compliance opens doors globally for your user community to access useful services for the research and education (R&E) community, as more and more organizations choose to enable authentication based on this enhanced trust. If your organization provides services to the R&E community, Sirfi compliance will allow you to expand your services to users whose organizations only allow authentication of Sirtfi-complaint services.

*Source: Why Sirtfi – refeds.org

More details on the Sirtfi framework can be found here:  https://refeds.org/sirtfi

To apply for Sirtfi compliance, please follow the link below. This form can only be completed by an authorized CAF contact at your organization (CAF Signing Authority, Primary Business Contact or Primary Technical Contact).

Apply for Sirtfi Compliance

For more information on Sirtfi compliance, please email us at canops@canarie.ca.