Versions Compared

Old Version 13

changes.mady.by.user Tom Scavo

Saved on

compared with

New Version 14

changes.mady.by.user Tom Scavo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note
The following draft text is for discussion only! For comparison, the official normative text is shown below the horizontal line.

...

 

5. Attribute Bundle

Conceptually, the  ReleaseAn Identity Provider supports the Research & Scholarship (R&S) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all conforming R&S Service Providers without administrative involvement, either automatically or subject to user consent.The R&S attribute bundle consists  consists of the following three meta- attributes:

  • non-private user identifier
  • person name
  • email address

where Technically, a non-private user identifier is  is a persistent, non-reassigned, non-targeted identifier defined to be any one of the following:

  1. eduPersonUniqueId
  2. eduPersonPrincipalName (if non-reassigned)
  3. eduPersonPrincipalName eduPersonTargetedID

and where Likewise, person name is  is defined to be any one of the following:

  1. displayName
  2. givenName + sn (surname)

Finally, an email address is synonymous with the mail attribute.

6. Attribute Request

One or more R&S attributes MUST be listed in Service Provider metadata. If a Service Provider lists an R&S attribute in metadata, that attribute MUST be required to operate the service. That is, all R&S attributes in metadata MUST be decorated with isRequired="true".

7. Attribute Release

An Identity Provider supports the Research & Scholarship (R&S) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all conforming R&S Service Providers without administrative involvement, either automatically or subject to user consentand where email address is defined to be the mail attribute.

An Identity Provider MUST release R&S attributes to any conforming R&S Service Provider upon request, in one of two ways:

...

An Identity Provider is NOT REQUIRED to release the non-private user identifier meta-attribute  attribute to a given R&S Service Provider unless one or more of eduPersonUniqueIdeduPersonPrincipalName, or eduPersonTargetedID is requested in Service Provider metadata, without regard for the isRequired XML attribute. Similarly, aIdentity Provider is NOT REQUIRED to release the person name meta-attribute  attribute to a given R&S Service Provider unless one or more of displayNamegivenName, or sn (surname) is requested in Service Provider metadata, without regard for the isRequired XML attribute. Finally, an Identity Provider is NOT REQUIRED to release the email address meta-attribute  attribute unless the mail attribute is requested in Service Provider metadata, without regard for the isRequired XML attribute.

Any other attribute listed in Service Provider metadata is out of scope with respect to this specification.

8. Examples

TBD


...

5. Attribute Request

Service Providers SHOULD request a subset of R&S Category Attributes that represent only those attributes that the Service Provider requires to operate its service. 

6. Attribute Release

Identity Providers are strongly encouraged to release the following bundle of attributes to R&S category Service Providers:

...

For the purposes of access control, a non-reassigned persistent identifier is required. If your deployment of eduPersonPrincipalName is non-reassigned, it will suffice. Otherwise you MUST release eduPersonTargetedID (which is non-reassigned by definition) in addition to eduPersonPrincipalName. In any case, release of both identifiers is RECOMMENDED.

 

7. Examples

 

Standard entity attribute for R&S Service Providers:

 

<EntityDescriptor xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
entityID=”https://service.example.com/sp”>
<Extensions xmlns:mdattr=”urn:oasis:names:tc:SAML:metadata:attribute”>
<mdattr:EntityAttributes xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>
<saml:Attribute
Name=”http://macedir.org/entity-category
NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship>
</saml:Attribute>
</mdattr:EntityAttributes>
</Extensions>

</EntityDescriptor>

 

Standard entity attribute for R&S Identity Providers:

 

<EntityDescriptor xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
entityID=”https://service.example.com/idp”>
<Extensions xmlns:mdattr=”urn:oasis:names:tc:SAML:metadata:attribute”>
<mdattr:EntityAttributes xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>
<saml:Attribute
Name=”http://macedir.org/entity-category-support
NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship> </saml:Attribute>
</mdattr:EntityAttributes>
</Extensions>

</EntityDescriptor>