Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Fixed incorrect SAML Attribute Name in SP EA stanza

This document is an attempt to rewrite the R&S specification for clarity and simplicity without breaking existing R&S deployments.

Note
The following draft text is for discussion only! For comparison, the official normative text is shown below the horizontal line. 

2. Syntax

The following URI is used as the attribute value for the Research & Scholarship (R&S) Entity Category and Entity Category Support attribute:

http://refeds.org/category/research-and-scholarship

A Service Provider that conforms to R&S exhibits the following entity attribute in its metadata:

Code Block
titleAn entity attribute for SPs that conform to R&S
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- entity attribute for SPs that conform to R&S -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category">
    <!-- the refeds.org R&S entity attribute value -->
    <saml:AttributeValue>
      http://refeds.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

An Identity Provider that supports R&S self-asserts the following entity attribute in its metadata:

Code Block
titleAn entity attribute for IdPs that support R&S
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- entity attribute for IdPs that support R&S -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category-support">
    <!-- the refeds.org R&S entity attribute value -->
    <saml:AttributeValue>
      http://refeds.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

5. Attribute Bundle

The R&S attribute bundle consists of the following attributes:

  • refedsNonPrivateUserID: a non-private shared user identifier
  • refedsPersonName: a person name
  • refedsEmailAddress: an email address

where shared user identifier is a persistent, non-reassigned, non-targeted identifier defined to be any one of the following:

  1. eduPersonPrincipalName (if non-reassigned)
  2. eduPersonPrincipalName + eduPersonTargetedID

and where person name is defined to be any one of the following:

  1. displayName
  2. givenName + sn (surname)

and where email address is defined to be the mail attribute.These attributes are "above-the-wire" attributes intended solely to facilitate attribute release. See: REFEDS Attribute Registry

6. Attribute Request

If a Service Provider requests a particular Service Providers SHOULD request a subset of the R&S attribute , the Identity Provider is REQUIRED to release it. Thus one or more R&S attributes MUST be listed in Service Provider metadata, otherwise the Identity Provider may release nothing at all.If a Service Provider requests an R&S attribute in metadata, that attribute MUST be required to operate the service. Thus an R&S attribute requested in metadata MUST NOT be decorated with isRequired="false". Beyond that, the use of the isRequired XML attribute on any <md:RequestedAttribute> element in metadata is unspecifiedbundle that represents only those attributes that the Service Provider requires to operate its service.

7. Attribute Release

An Identity Provider supports the Research & Scholarship (R&S) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all conforming R&S Service Providers without administrative involvement, either automatically or subject to user consent.

An Identity Provider MUST release the R&S attributes to attribute bundle to any conforming R&S Service Provider upon request, in one of two ways:

...

without regard for any R&S

...

attributes

...

An Identity Provider is NOT REQUIRED to release an R&S attribute to a given R&S Service Provider unless that attribute is requested in Service Provider metadata. In particular, an Identity Provider that supports the R&S category MUST release the attributes shown below upon request from the Service Provider:

requested

...

 All other attributes listed in Service Provider metadata are out of scope with respect to this specification.

...

.

...

Example 1. The R&S Service Provider requests refedsNonPrivateUserID, refedsPersonName, and refedsEmailAddress in metadata.

An Identity Provider that supports R&S releases the full R&S bundle (refedsNonPrivateUserIDrefedsPersonName, and refedsEmailAddress).

Example 2. The R&S Service Provider requests eduPersonUniqueIddisplayName, and mail in metadata.

An Identity Provider that supports R&S releases the full R&S bundle (refedsNonPrivateUserIDrefedsPersonName, and refedsEmailAddress). Compare with Example 1.

Example 3The R&S Service Provider requests refedsNonPrivateUserID and refedsEmailAddress in metadata.

An Identity Provider that supports R&S releases at least refedsNonPrivateUserID and refedsEmailAddress. Some Identity Providers will release refedsPersonName as well. Presumably the latter do not filter on requested attributes in metadata.

Example 4. The R&S Service Provider requests refedsUserID in metadata.

An Identity Provider that supports R&S releases at least the refedsNonPrivateUserID attribute. Other Identity Providers may release any persistent, non-reassigned user identifier, including refedsPrivateUserID (i.e., eduPersonTargetedID) but this is out of scope with respect to this specification.

 

Example 5. The R&S Service Provider requests refedsEmailAddress in metadata.

 

An Identity Provider that supports R&S releases the refedsEmailAddress attribute.

...

titleDo not rely on email address as an identifier!


...

2. Syntax

The following URI is used as the attribute value for the Entity Category and Entity Category Support attribute: http://refeds.org/category/research-and-scholarship

...

5. Attribute Request

Service Providers SHOULD request a subset of R&S Category Attributes that represent only those attributes that the Service Provider requires to operate its service.

...