...
An important characteristic of collaborative tools and services is that they require the user’s name to function effectively. Hence, the R&S attribute bundle includes a name-based identifier (eduPersonPrincipalName
) and person name as essential attributes. The user’s email address is also included in the bundle, to facilitate communication among the users of the service and between the service and its users.
What attributes should be released
...
by an R&S IdP?
The Research & Scholarship specification defines a bundles of attributes that Identity Providers are encouraged to release to R&S services:
...
See section 6 of the R&S Entity Category specification for a precise definition of the minimal subset of the R&S attribute bundle.
Are SPs allowed to request attributes other than the R&S attributes?
Service Providers should only request attributes that the service actually uses, so for example if email address is not required by the service it should not be requested. The specification does not explicitly prevent Service Providers from requesting attributes outside the R&S attribute bundle but strongly suggests that they do not ("Service Providers SHOULD request a subset of R&S Category Attributes", section 5 of the specification). R&S works best for both Identity Providers and Service Providers when the bundle is treated as the maximal set of attributes requested.
That said, if an SP requests an attribute outside the R&S attribute bundle, an IdP that supports R&S is by no means required to release it. See the previous question for details about attribute release.
How do I configure an IdP to release attributes to R&S SPs?
...
Finally, consider the following counterexample. Suppose an IdP releases the minimal subset of the R&S attribute bundle to any R&S SP provided the user is a non-student. That IdP may indeed receive the REFEDS R&S entity attribute in its metadata since it supports the R&S category "for some subset of the Identity Provider's user population," as required by the REFEDS R&S specification.
...
Service Providers should only request attributes that the service actually uses, so for example if email address is not required by the service it should not be requested. The specification does not explicitly prevent Service Providers from requesting attributes outside the R&S attribute bundle but strongly suggests that they do not ("Service Providers SHOULD request a subset of R&S Category Attributes", section 5 of the specification). R&S works best for both Identity Providers and Service Providers when the bundle is treated as the maximal set of attributes requested.
That said, if an SP requests an attribute outside the R&S attribute bundle, an IdP that supports R&S is by no means required to release it. See the previous question for details about attribute release.
What exactly is meant by a "production SAML deployment?"
...
The latter includes dev and/or staging instances of the overall Service Provider deployment.
How would a federation operator implement the Research & Scholarship Category?
Some tips and suggestions for implementing the Research & Scholarship Category are given in a separate document. In particular, a strategy for jump starting the R&S category using a second support category is outlined.
What is the difference between
...
Research &
...
Scholarship and the Code of Conduct?
The GÉANT Data Protection Code of Conduct is a process that allows Service Providers to commit to a series of declarations of support for data protection within the context of the EU Data Protection Directive. Like R&S, it results in the application of an entity category tag and is intended to give greater confidence to IdPs when releasing data.
- The Code of Conduct is designed to help IdPs feel more comfortable with the SPs intentions to abide by existing data protection law and therefore have relationship with them, but does not define attribute release and does not work outside of Europe in its current form, although an international version is being explored.
- R&S is designed to help IdPs that are struggling to define any sort of attribute release policies have an easier way of mitigating the risk and designing policies for a small subset of Service Providers that have been through some minimal vetting. It can be used by any federation globally.