Versions Compared

Old Version 2

changes.mady.by.user Tom Scavo

Saved on

compared with

New Version Current

changes.mady.by.user Rhys Smith

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Fixed incorrect SAML Attribute Name in SP EA stanza

This document is an attempt to rewrite the R&S specification for clarity and simplicity without breaking existing R&S deployments.

Note
The following draft text is for discussion only! For comparison, the official normative text is shown below the horizontal line. 

...

2.

...

An Identity Provider supports the R&S category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all R&S Service Providers without administrative involvement, either automatically or subject to user consent. The R&S attribute bundle consists of the following attributes:

  • eduPersonPrincipalName

  • eduPersonUniqueId

  • mail

  • displayName

  • givenName

  • sn (surname)

An Identity Provider that supports the R&S category MUST be willing and able to release all R&S attributes to all R&S Service Providers. The only exception is the eduPersonUniqueId attribute: If the Identity Provider’s deployment of eduPersonPrincipalName is non-reassigned, release of eduPersonUniqueId is strictly OPTIONAL.

An Identity Provider MUST release an R&S attribute upon request, in one of two ways:

  1. By unconditionally releasing that attribute to all R&S SPs
  2. By conditionally releasing that attribute based on the <md:RequestedAttribute> elements in Service Provider metadata

A sufficiently capable IdP deployment MAY optimize attribute release based on the <md:RequestedAttribute> elements in Service Provider metadata.

  • If a Service Provider lists the eduPersonPrincipalName attribute in metadata, and the Identity Provider's deployment of eduPersonPrincipalName may be reassigned, then the Identity Provider MUST release both eduPersonPrincipalName and eduPersonUniqueId to the Service Provider regardless of whether eduPersonUniqueId is listed in metadata.

  • If a Service Provider lists the eduPersonUniqueId attribute in metadata, and the Identity Provider’s deployment of eduPersonPrincipalName is non-reassigned, the release of eduPersonUniqueId is OPTIONAL despite its listing in metadata.

Beyond the two special cases noted above, an Identity Provider is NOT REQUIRED to release any R&S attribute not listed in metadata. Moreover, any non-R&S attribute listed in Service Provider metadata is out of scope with respect to this specification.

An Identity Provider MUST NOT require the isRequired XML attribute to be present on any requested R&S attribute in Service Provider metadata. That is, an Identity Provider that supports the R&S category MUST be able meet the requirements of this specification regardless of whether the isRequired XML attribute is (or is not) present on any given requested R&S attribute in Service Provider metadata.

 

 

Syntax

The following URI is used as the attribute value for the Research & Scholarship (R&S) Entity Category and Entity Category Support attribute:

http://refeds.org/category/research-and-scholarship

A Service Provider that conforms to R&S exhibits the following entity attribute in its metadata:

Code Block
titleAn entity attribute for SPs that conform to R&S
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- entity attribute for SPs that conform to R&S -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category">
    <!-- the refeds.org R&S entity attribute value -->
    <saml:AttributeValue>
      http://refeds.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

An Identity Provider that supports R&S self-asserts the following entity attribute in its metadata:

Code Block
titleAn entity attribute for IdPs that support R&S
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- entity attribute for IdPs that support R&S -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category-support">
    <!-- the refeds.org R&S entity attribute value -->
    <saml:AttributeValue>
      http://refeds.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

5. Attribute Bundle

The R&S attribute bundle consists of the following attributes:

  • shared user identifier
  • person name
  • email address

where shared user identifier is a persistent, non-reassigned, non-targeted identifier defined to be any one of the following:

  1. eduPersonPrincipalName (if non-reassigned)
  2. eduPersonPrincipalName + eduPersonTargetedID

and where person name is defined to be any one of the following:

  1. displayName
  2. givenName + sn (surname)

and where email address is defined to be the mail attribute.

6. Attribute Request

Service Providers SHOULD request a subset of the R&S attribute bundle that represents only those attributes that the Service Provider requires to operate its service.

7. Attribute Release

An Identity Provider supports the Research & Scholarship (R&S) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all conforming R&S Service Providers without administrative involvement, either automatically or subject to user consent.

An Identity Provider MUST release the R&S attribute bundle to any conforming R&S Service Provider upon request, without regard for any R&S attributes requested in Service Provider metadata.


...

2. Syntax

The following URI is used as the attribute value for the Entity Category and Entity Category Support attribute: http://refeds.org/category/research-and-scholarship

5. Attribute Request

Service Providers SHOULD request a subset of R&S Category Attributes that represent only those attributes that the Service Provider requires to operate its service.

6. Attribute Release

Identity Providers are strongly encouraged to release the following bundle of attributes to R&S category Service Providers:

...

For the purposes of access control, a non-reassigned persistent identifier is required. If your deployment of eduPersonPrincipalName is non-reassigned, it will suffice. Otherwise you MUST release eduPersonTargetedID (which is non-reassigned by definition) in addition to eduPersonPrincipalName. In any case, release of both identifiers is RECOMMENDED.

7. Examples

Standard entity attribute for R&S Service Providers:

<EntityDescriptor xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
entityID=”https://service.example.com/sp”>
<Extensions xmlns:mdattr=”urn:oasis:names:tc:SAML:metadata:attribute”>
<mdattr:EntityAttributes xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>
<saml:Attribute
Name=”http://macedir.org/entity-category
NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship>
</saml:Attribute>
</mdattr:EntityAttributes>
</Extensions>

</EntityDescriptor>

Standard entity attribute for R&S Identity Providers:

<EntityDescriptor xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
entityID=”https://service.example.com/idp”>
<Extensions xmlns:mdattr=”urn:oasis:names:tc:SAML:metadata:attribute”>
<mdattr:EntityAttributes xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>
<saml:Attribute
Name=”http://macedir.org/entity-category-support
NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship> </saml:Attribute>
</mdattr:EntityAttributes>
</Extensions>

</EntityDescriptor>