What Attributes should be released as part of R&S?
The "attribute bundle" for R&S is defined in section 6 of the specification. The specification sets out a set Research & Scholarship specification defines a bundles of attributes that Identity Providers are encourage encouraged to release as followsto R&S services:
- personal identifiers: email address, person name, eduPersonPrincipalName.
- pseudonymous identifier: eduPersonTargetedID.
- affiliation: eduPersonScopedAffiliation
Category support is defined as follows:
An Identity Provider supports the R&S Category if for some subset of the Identity Provider's user population, the Identity Provider releases a minimal subset of the R&S attribute bundle to R&S Service Providers without administrative involvement, either automatically or subject to user consent.
See section 6 of the R&S Entity Category specification for a precise definition of the minimal subset of the R&S attribute bundle.
Are Service Providers allowed to request other attributes?
Service Providers should only request attributes that the service actually uses, so for example if email address is not required by the service it should not be requested. The The specification does not explicitly prevent Service Providers from requesting attributes outside the R&S attribute bundle but the expectation is that they should not. R R&S works optimally for both Identity Providers and Service Providers when the bundle is treated as the maximum set of attributes requested. Service Service Providers requiring more unique / bespoke attribute bundles should talk to the REFEDS community.
What exactly is meant by a "production SAML deployment?"