This page is a work in progress
Anonymous Authorisation and Pseudonymous Authorization Entity Categories FAQ
Where are the official definitions for Anonymous Authorization and Pseudonymous Authorisation?
The formal, approved definitions of the REFEDS Anonymous Authorisation and Pseudonymous Authorisation are published on the REFEDS website:
(Note that the URI values of the REFEDS entity attribute resolve to the appropriate specification.)
Where can I find support materials?
What do I do if I think a Service Provider is misusing either of these entity categories?
Are SPs allowed to request additional attributes other than those defined in these entity categories?
Will I definitely get the attributes requested?
Release of data from organisations is governed by data protection laws that provide a variety of mechanisms to ensure that people and organisations have choice over the data that is released. There may however be legitimate reasons for attributes not be release (e.g. user consent, data not available for all users in IDM systems etc.). SPs are encouraged to consider providing helpful error message screens where this may impact service provision.
Are attributes single or multi-valued?
Service Providers should reference the eduPerson specification for details on values that may be received per attribute, but in general terms:
- eduPersonPrincipalName, eduPersonTargetedID, displayName are single-valued.
- givenName + sn, email address, eduPersonScopedAffiliation can be mutli-valued.
For IdP Operators
What attributes have to be released?
How do I configure an IdP to release attributes to SPs?
To release attributes to all current and future R&S SPs with a one-time configuration, an IdP leverages entity attributes (instead of entity IDs). Thus the configuration steps documented in the R&S IdP Config topic require Shibboleth IdP v2.3.4 or later, which fully supports using entity attributes in SP metadata as part of an attribute release filter policy. No other SAML IdP software is known to support entity attributes at this time.
IdPs are broadly taking one of two approaches to releasing attributes to R&S SPs:
- Configure an IdP to Release a Fixed Subset of R&S Attributes. This releases the same subset to every R&S SP.
- Configure an IdP to Release a Dynamic Subset of R&S Attributes. This releases a different subset to each R&S SP based on the
<md:RequestedAttribute>elements in SP metadata.
What Federations are Using These Entity Categories?
This can be determined using the entities search on https://met.refeds.org/.