This document is an attempt to rewrite the R&S specification for clarity and simplicity without breaking existing R&S deployments.
Note |
---|
The following draft text is for discussion only! For comparison, the official normative text is shown below the horizontal line. |
2. Syntax
The following URI is used as the attribute value for the Research & Scholarship (R&S) Entity Category and Entity Category Support attribute:
http://refeds.org/category/research-and-scholarship
A Service Provider that conforms to R&S exhibits the following entity attribute in its metadata:
Code Block | ||
---|---|---|
| ||
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<!-- entity attribute for SPs that conform to R&S -->
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://macedir.org/entity-category">
<!-- the refeds.org R&S entity attribute value -->
<saml:AttributeValue>
http://refeds.org/category/research-and-scholarship
</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes> |
An Identity Provider that supports R&S self-asserts the following entity attribute in its metadata:
Code Block | ||
---|---|---|
| ||
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<!-- entity attribute for IdPs that support R&S -->
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://macedir.org/entity-category-support">
<!-- the refeds.org R&S entity attribute value -->
<saml:AttributeValue>
http://refeds.org/category/research-and-scholarship
</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes> |
5. Attribute Bundle
The R&S attribute bundle consists of the following attributes:
refedsNonPrivateUserID
: a non-private shared user identifierrefedsPersonName
: a person namerefedsEmailAddress
: an email address
where shared user identifier is a persistent, non-reassigned, non-targeted identifier defined to be any one of the following:
eduPersonPrincipalName
(if non-reassigned)eduPersonPrincipalName
+eduPersonTargetedID
and where person name is defined to be any one of the following:
displayName
givenName
+sn
(surname)
and where email address is defined to be the mail
attribute.These attributes are "above-the-wire" attributes intended solely to facilitate attribute release. See: REFEDS Attribute Registry
6. Attribute Request
If a Service Provider requests a particular Service Providers SHOULD request a subset of the R&S attribute , the Identity Provider is REQUIRED to release it. Thus one or more R&S attributes MUST be listed in Service Provider metadata, otherwise the Identity Provider may release nothing at all.If a Service Provider requests an R&S attribute in metadata, that attribute MUST be required to operate the service. Thus an R&S attribute requested in metadata MUST NOT be decorated with isRequired="false"
. Beyond that, the use of the isRequired
XML attribute on any <md:RequestedAttribute>
element in metadata is unspecifiedbundle that represents only those attributes that the Service Provider requires to operate its service.
7. Attribute Release
An Identity Provider supports the Research & Scholarship (R&S) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all conforming R&S Service Providers without administrative involvement, either automatically or subject to user consent.
An Identity Provider MUST release the R&S attributes to attribute bundle to any conforming R&S Service Provider upon request, in one of two ways:
...
without regard for any R&S
...
attributes
...
An Identity Provider is NOT REQUIRED to release an R&S attribute to a given R&S Service Provider unless that attribute is requested in Service Provider metadata. In particular, an Identity Provider that supports the R&S category MUST release the attributes shown below upon request from the Service Provider:
requested
...
All other attributes listed in Service Provider metadata are out of scope with respect to this specification.
...
.
...
Example 1. The R&S Service Provider requests refedsNonPrivateUserID
, refedsPersonName
, and refedsEmailAddress
in metadata.
An Identity Provider that supports R&S releases the full R&S bundle (refedsNonPrivateUserID
, refedsPersonName
, and refedsEmailAddress
).
Example 2. The R&S Service Provider requests eduPersonUniqueId
, displayName
, and mail
in metadata.
An Identity Provider that supports R&S releases the full R&S bundle (refedsNonPrivateUserID
, refedsPersonName
, and refedsEmailAddress
). Compare with Example 1.
Example 3. The R&S Service Provider requests refedsNonPrivateUserID
and refedsEmailAddress
in metadata.
An Identity Provider that supports R&S releases at least refedsNonPrivateUserID
and refedsEmailAddress
. Some Identity Providers will release refedsPersonName
as well. Presumably the latter do not filter on requested attributes in metadata.
Example 4. The R&S Service Provider requests refedsUserID
in metadata.
An Identity Provider that supports R&S releases at least the refedsNonPrivateUserID
attribute. Other Identity Providers may release any persistent, non-reassigned user identifier, including refedsPrivateUserID
(i.e., eduPersonTargetedID
) but this is out of scope with respect to this specification.
Example 5. The R&S Service Provider requests refedsEmailAddress
in metadata.
An Identity Provider that supports R&S releases the refedsEmailAddress
attribute.
...
title | Do not rely on email address as an identifier! |
---|
...
2. Syntax
The following URI is used as the attribute value for the Entity Category and Entity Category Support attribute: http://refeds.org/category/research-and-scholarship
...
5. Attribute Request
Service Providers SHOULD request a subset of R&S Category Attributes that represent only those attributes that the Service Provider requires to operate its service.
...