This document is an attempt to rewrite the R&S specification for clarity and simplicity without breaking existing R&S deployments.
Note |
---|
The following draft text is for discussion only! For comparison, the official normative text is shown below the horizontal line. |
2. Syntax
The following URI is used as the attribute value for the Research & Scholarship (R&S) Entity Category and Entity Category Support attribute:
http://refeds.org/category/research-and-scholarship
A Service Provider that conforms to R&S exhibits the following entity attribute in its metadata:
Code Block | ||
---|---|---|
| ||
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<!-- entity attribute for SPs that conform to R&S -->
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://macedir.org/entity-category">
<!-- the refeds.org R&S entity attribute value -->
<saml:AttributeValue>
http://refeds.org/category/research-and-scholarship
</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes> |
An Identity Provider that supports R&S self-asserts the following entity attribute in its metadata:
Code Block | ||
---|---|---|
| ||
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<!-- entity attribute for IdPs that support R&S -->
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://macedir.org/entity-category-support">
<!-- the refeds.org R&S entity attribute value -->
<saml:AttributeValue>
http://refeds.org/category/research-and-scholarship
</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes> |
5. Attribute Bundle
Conceptually, the The R&S attribute bundle consists of the following three attributes:
- non-private shared user identifier
- person name
- email address
Technically, a non-private user where shared user identifier is a persistent, non-reassigned, non-targeted identifier defined to be any one of the following:
...
eduPersonPrincipalName
(if non-reassigned)eduPersonPrincipalName
+eduPersonTargetedID
Likewise, and where person name is defined to be any one of the following:
displayName
givenName
+sn
(surname)
Finally, an and where email address is synonymous with defined to be the mail
attribute.
6. Attribute Request
One or more R&S attributes MUST be listed in Service Provider metadata. If a Service Provider lists an Service Providers SHOULD request a subset of the R&S attribute in metadata, that attribute MUST be required to operate the service. That is, all R&S attributes in metadata MUST be decorated with isRequired="true"
bundle that represents only those attributes that the Service Provider requires to operate its service.
7. Attribute Release
An Identity Provider supports the Research & Scholarship (R&S) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all conforming R&S Service Providers without administrative involvement, either automatically or subject to user consent.
An Identity Provider MUST release the R&S attributes to attribute bundle to any conforming R&S Service Provider upon request, in one of two ways:
...
without regard for any R&S
...
attributes requested in Service Provider metadata
...
.
...
2. Syntax
The following URI is used as the attribute value for the Entity Category and Entity Category Support attribute: http://refeds.org/category/research-and-scholarship
An Identity Provider is NOT REQUIRED to release the non-private user identifier attribute to a given R&S Service Provider unless one or more of eduPersonUniqueId
, eduPersonPrincipalName
, or eduPersonTargetedID
is requested in Service Provider metadata, without regard for the isRequired
XML attribute. Similarly, an Identity Provider is NOT REQUIRED to release the person name attribute to a given R&S Service Provider unless one or more of displayName
, givenName
, or sn
(surname) is requested in Service Provider metadata, without regard for the isRequired
XML attribute. Finally, an Identity Provider is NOT REQUIRED to release the email address attribute unless the mail
attribute is requested in Service Provider metadata, without regard for the isRequired
XML attribute.
Any other attribute listed in Service Provider metadata is out of scope with respect to this specification.
8. Examples
TBD
5. Attribute Request
Service Providers SHOULD request a subset of R&S Category Attributes that represent only those attributes that the Service Provider requires to operate its service.
...