RNP > Services > CAFe > Best practices

The Federation recommends its participants to adopt the following uses:

Identity Management

• Have procedures established to manage users and their attributes;
• Inform users on best practices regarding the use and confidentiality of passwords and the need to replace them periodically;
• Enabling each user to determine which attributes are sent to each service. When this is not possible, tell users which attributes are sent without its consent.

Management

• Ensure the high availability of the IdP;
• Hold a technical team ready to operate the IdP

Operation

• Monitor the IdP by monitoring logs (Operational System, SSO Software, Application Container, etc.);
• Keep log files for at least six months;
• Provide necessary information to investigate security incidents;
• Keep the server's clock synchronized with an NTP server;
• Monitor the validity of certificates used;
• Document changes made to the server;
• Keep the operational system and other software up to date by applying all the critical changes;
• Update the metadata file every hour;
• Use only the official servers of CAFe as a source of metadata;
• Hold an user with read-only permission for consultation on the IdP’s data source;
• Own servers (physical or virtual) separated for each application (e.g.: Shibboleth, EID, OpenLDAP, etc.);
• Keep backup of the IdP’s configuration;
• Follow the scripts prepared by the Federation’s support team using the applications suggested and supported.