This document is an attempt to rewrite the R&S specification for clarity and simplicity without breaking existing R&S deployments.
| Note |
|---|
| The following draft text is for discussion only! For comparison, the official normative text is shown below the horizontal line. |
2. Syntax
The following URI is used as the attribute value for the Research & Scholarship (R&S) Entity Category and Entity Category Support attribute:
http://refeds.org/category/research-and-scholarship
A Service Provider that conforms to R&S exhibits the following entity attribute in its metadata:
| Code Block | ||
|---|---|---|
| ||
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<!-- entity attribute for SPs that conform to R&S -->
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://macedir.org/entity-category">
<!-- the refeds.org R&S entity attribute value -->
<saml:AttributeValue>
http://refeds.org/category/research-and-scholarship
</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes> |
An Identity Provider that supports R&S self-asserts the following entity attribute in its metadata:
| Code Block | ||
|---|---|---|
| ||
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<!-- entity attribute for IdPs that support R&S -->
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://macedir.org/entity-category-support">
<!-- the refeds.org R&S entity attribute value -->
<saml:AttributeValue>
http://refeds.org/category/research-and-scholarship
</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes> |
5. Attribute Bundle
The R&S attribute bundle consists of the following attributes:
refedsNonPrivateUserID: a non-private shared user identifierrefedsPersonName: a person namerefedsEmailAddress: an email address
where shared user identifier is a persistent, non-reassigned, non-targeted identifier defined to be any one of the following:
eduPersonPrincipalName(if non-reassigned)eduPersonPrincipalName+eduPersonTargetedID
and where person name is defined to be any one of the following:
displayNamegivenName+sn(surname)
and where email address is defined to be the mail attribute.These attributes are "above-the-wire" attributes intended solely to facilitate attribute release. See: REFEDS Attribute Registry
6. Attribute Request
If a Service Provider requests a particular Service Providers SHOULD request a subset of the R&S attribute , the Identity Provider is REQUIRED to release it. Thus one or more R&S attributes MUST be listed in Service Provider metadata, otherwise the Identity Provider may release nothing at all.If a Service Provider requests an R&S attribute in metadata, that attribute MUST be required to operate the service. Thus an R&S attribute requested in metadata MUST NOT be decorated with isRequired="false". Beyond that, the use of the isRequired XML attribute on any <md:RequestedAttribute> element in metadata is unspecifiedbundle that represents only those attributes that the Service Provider requires to operate its service.
7. Attribute Release
An Identity Provider supports the Research & Scholarship (R&S) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all conforming R&S Service Providers without administrative involvement, either automatically or subject to user consent.
An Identity Provider MUST release the R&S attributes to attribute bundle to any conforming R&S Service Provider upon request, in one of two ways:
...
without regard for any R&S
...
attributes
...
An Identity Provider is NOT REQUIRED to release an R&S attribute to a given R&S Service Provider unless that attribute is requested in Service Provider metadata. In particular, an Identity Provider that supports the R&S category MUST release the attributes shown below upon request from the Service Provider:
requested
...
All other attributes listed in Service Provider metadata are out of scope with respect to this specification.
...
.
...
Example 1. The R&S Service Provider requests refedsNonPrivateUserID, refedsPersonName, and refedsEmailAddress in metadata.
An Identity Provider that supports R&S releases the full R&S bundle (refedsNonPrivateUserID, refedsPersonName, and refedsEmailAddress).
Example 2. The R&S Service Provider requests eduPersonUniqueId, displayName, and mail in metadata.
An Identity Provider that supports R&S releases the full R&S bundle (refedsNonPrivateUserID, refedsPersonName, and refedsEmailAddress). Compare with Example 1.
Example 3. The R&S Service Provider requests refedsNonPrivateUserID and refedsEmailAddress in metadata.
An Identity Provider that supports R&S releases at least refedsNonPrivateUserID and refedsEmailAddress. Some Identity Providers will release refedsPersonName as well. Presumably the latter do not filter on requested attributes in metadata.
Example 4. The R&S Service Provider requests refedsUserID in metadata.
An Identity Provider that supports R&S releases at least the refedsNonPrivateUserID attribute. Other Identity Providers may release any persistent, non-reassigned user identifier, including refedsPrivateUserID (i.e., eduPersonTargetedID) but this is out of scope with respect to this specification.
Example 5. The R&S Service Provider requests refedsEmailAddress in metadata.
An Identity Provider that supports R&S releases the refedsEmailAddress attribute.
...
| title | Do not rely on email address as an identifier! |
|---|
...
2. Syntax
The following URI is used as the attribute value for the Entity Category and Entity Category Support attribute: http://refeds.org/category/research-and-scholarship
...
5. Attribute Request
Service Providers SHOULD request a subset of R&S Category Attributes that represent only those attributes that the Service Provider requires to operate its service.
...