Versions Compared

Old Version 8

changes.mady.by.user Nicole Harris

Saved on

compared with

New Version Current

changes.mady.by.user Nicole Harris

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

REFEDS Entity Category: Research and Scholarship V1.2

published 28 November 2014 . 

Overview

Research and Education Federations are invited to use the The REFEDS Research and Scholarship Entity Category with their members to support the release of attributes to Service Providers meeting the requirements described below.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. This definition is written in compliance with the Entity Category SAML Entity Metadata Attribute Types specification [EntityCatTypes].

An FAQ for the Entity Category has been made available to help deployments [R&SFAQ].

1. Definition

Candidates for the Research and Scholarship (R&S) Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part.

Example Service Providers may include (but are not limited to) collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. This Entity Category should not be used for access to licensed content such as e-journals.

2. Syntax

The following URI is used as the attribute value for the Entity Category and Entity Category Support attribute: http://refeds.org/category/research-and-scholarship.

3. Semantics

By asserting a Service Provider to be a member of an Entity Category, a registrar claims that:

  • 3.1 The Service Provider has applied for membership in the Category and complies with the R&S registration criteria.
  • 3.2 The Service Provider's application for R&S has been reviewed and approved by the registrar.

By using the Entity Category Attribute, a Service Provider claims that it will not use attributes for purposes that fall outside of the service definition.

By using the Entity Category Support Attribute, an Identity Provider claims that it supports the release of attributes to R&S Service Providers as outlined in the "Attribute Release" section below.

4. Registration Criteria

When a Service Provider's registrar (normally the Service Provider's home federation) registers the Service Provider in the Entity Category, the registrar MUST perform at least the following checks:

  • 4.1 The service enhances the research and scholarship activities of some subset of the registrar's user community.
  • 4.2 Service metadata has been submitted to the registrar and published in the registrar's public metadata aggregate.
  • 4.3 The service meets the following technical requirements:
  • 4.3.1 The Service Provider is a production SAML deployment that supports SAML V2.0 HTTP-POST binding.
  • 4.3.2 The Service Provider claims to refresh federation metadata at least daily.
  • 4.3.3 The Service Provider provides an mdui:DisplayName and mdui:InformationURL in metadata.
  • 4.3.4 The Service Provider provides one or more technical contacts in metadata.
  • 4.3.5 The Service Provider provides requested attributes in metadata.

R&S Service Providers MUST resolve issues of non-compliance within a reasonable period of time from when they become aware of the issue. Failure to do so MUST result in revocation of the entity's membership in the R&S category.

5. Attribute Request

Service Providers SHOULD request a subset of R&S Category Attributes that represent only those attributes that the Service Provider requires to operate its service.

6. Attribute Release

Identity Providers are strongly encouraged to release the following bundle of attributes to R&S category Service Providers:

  • personal identifiers: email address, person name, eduPersonPrincipalName.
  • pseudonymous identifier: eduPersonTargetedID.
  • affiliation: eduPersonScopedAffiliation.

Where email address refers to the mail attribute and person name refers to displayName and optionally givenName and sn (i.e., surName).

An Identity Provider supports the R&S Category if, for some subset of the Identity Provider's user population, the Identity Provider releases a minimal subset of the R&S attribute bundle to R&S Service Providers without administrative involvement, either automatically or subject to user consent. The following attributes constitute a minimal subset of the R&S attribute bundle:

  • eduPersonPrincipalName
  • mail
  • displayName OR (givenName AND sn)

For the purposes of access control, a non-reassigned persistent identifier is required. If your deployment of eduPersonPrincipalName is non-reassigned, it will suffice. Otherwise you MUST release eduPersonTargetedID (which is non-reassigned by definition) in addition to eduPersonPrincipalName. In any case, release of both identifiers is RECOMMENDED.

7. Examples

Standard entity attribute for R&S Service Providers:

...

has been designed as a simple and scalable way for Identity Providers to release minimal amounts of required personal data to Service Providers serving the Research and Scholarship Community.

As an Entity Category, Services that share the common criteria described in the R&S specification are tagged by federation operators that have briefly audited the Service Providers to ensure they meet certain criteria. Once tagged, Identity Providers can safely release a small set of data to these providers with the knowledge it meets minimal requirements and privacy requirements.

R&S meets the requirements of privacy by design, but also meets the ongoing need to allow personal data to flow in controlled environments to support the needs of users.

If you believe an entity has been incorrectly tagged with R&S, please report to: contact@refeds.org.

Info

The Research and Scholarship Entity Category can be found on the REFEDS website and text from the website should be used as the authoritative source: https://

...

refeds.org/category/research-and-scholarship

...

.  Further supporting documentation is available at:https://refeds.org/research-and-scholarship.  

The following resources might also be useful:

...

Standard entity attribute for R&S Identity Providers:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://service.example.com/idp">
<Extensions xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<mdattr:EntityAttributes xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Attribute
Name="http://macedir.org/entity-category-support"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue> </saml:Attribute>
</mdattr:EntityAttributes>
</Extensions>
...
</EntityDescriptor>

References

[EntityCatTypes] Young, I, Johansson, L, and Cantor, S Ed., "The Entity Category SAML Attribute Types", July 2014.

[R&SFAQ] Harris, N., "Research and Scholarship FAQ", November 2014.

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

...