This consultation opens on 4 October 2022 and closes on 8 November 2022 at 17:00 CET.


The REFEDS Entity Categories Development Working Group has developed a revision to the personalized Authorization Entity Category.  This revision normalizes the language and requirements, as appropriate, across all three access-related entity categories (i.e., Anonymous, Pseudonymous, and Personalized Access Entity Categories) and changes the full name from Personalized to Personalized Access.


Included as supporting material for implementers are two documents:

While not officially part of the consultation, feedback on the informative text is welcome.

This consultation is open from: 4 October 2022 to 8 November 2022 17:00 CET.

Participants are invited:

  • to consider the proposed revisions to this entity category

The PDF for the consultation is available. All comments should be made on: or added to the changelog below. Comments posted to other channels will not be included in the consultation review.

Change Log

comment #Line/Reference #Proposed Change or QueryProposer / AffiliationAction / Decision (please leave blank)

Is there a reason that pairwise-id is not listed as possible user identifier (at least in addition to subject-id for IDP release, with support RECOMMENDED for SPs)? 

Requiring the release of a omni-directional unique user identifier that will permit direct matching between supporting sites does not seem aligned with the stated minimum disclosure principle.

Email is widely used as an omni-directional, unique identifier. The working group did not feel there was any additional complexity or privacy concerns since email is already released in this entity category.

We did consider allowing pairwise id as an alternative, but since it wasn't adding any privacy benefits, we felt it was better to keep the attribute bundle as simple as possible.

No change to the document.

247-48Similarly to comment 2 on the Pseudonymous consultation, can you add a couple of words to clarify that RC2 is in the "application for inclusion in the Entity Category"Alex Stuart (Jisc)The text has been modified to remove the word "application" in favor of "request".
356-58Can you give an example of when a federation registrar would not remove the entity category when a Service Provider can no longer demonstrate compliance? I'd expect that the registrar MUST remove, not SHOULD.Alex Stuart (Jisc)We have modified the text to: "The federation registrar MUST remove the Entity Category if the Service Provider indicates a change in conformance. The federation registrar MUST have other remediation procedures to address a lack of compliance with these requirements."

  • No labels