This document is an attempt to rewrite the R&S specification for clarity and simplicity without breaking existing R&S deployments.
Note |
---|
The following draft text is for discussion only! For comparison, the official normative text is shown below the horizontal line. |
...
2. Syntax
The following URI is used as the attribute value for Attribute ReleaseAn Identity Provider supports the Research & Scholarship (R&S) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all conforming R&S Service Providers without administrative involvement, either automatically or subject to user consent.
The R&S attribute bundle consists of the following attributes:
- persistent, non-reassigned, non-targeted identifier
mail
displayName
givenName
sn
(surname)
Entity Category and Entity Category Support attribute:
http://refeds.org/category/research-and-scholarship
A Service Provider that conforms to R&S exhibits the following entity attribute in its metadata:
Code Block | ||
---|---|---|
| ||
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<!-- entity attribute for SPs that conform to R&S -->
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://macedir.org/entity-category">
<!-- the refeds.org R&S entity attribute value -->
<saml:AttributeValue>
http://refeds.org/category/research-and-scholarship
</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes> |
An Identity Provider that supports R&S self-asserts the following entity attribute in its metadata:
Code Block | ||
---|---|---|
| ||
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<!-- entity attribute for IdPs that support R&S -->
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://macedir.org/entity-category-support">
<!-- the refeds.org R&S entity attribute value -->
<saml:AttributeValue>
http://refeds.org/category/research-and-scholarship
</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes> |
5. Attribute Bundle
The R&S attribute bundle consists of the following attributes:
- shared user identifier
- person name
- email address
where shared user identifier is a where a persistent, non-reassigned, non-targeted identifier is defined to to be any one of the following:
eduPersonPrincipalName
(if non-reassigned)eduPersonUniqueId
eduPersonPrincipalName
+eduPersonUniqueId
eduPersonPrincipalName
+eduPersonTargetedID
eduPersonTargetedID
and where person name is defined to be any one of the following:
displayName
givenName
+sn
(surname)
and where email address is defined to be the mail
attribute.
6. Attribute Request
Service Providers SHOULD request a subset of the R&S attribute bundle that represents only those attributes that the Service Provider requires to operate its service.
7. Attribute Release
An Identity Provider that supports the Research & Scholarship (R&S category MUST be ) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to to release all the R&S attributes to any conforming attribute bundle to all conforming R&S Service ProviderProviders without administrative involvement, either automatically or subject to user consent.
An Identity Provider MUST release the R&S attributes attribute bundle to any conforming R&S Service Provider upon request, in one of two ways:
...
without regard for any R&S
...
attributes requested in Service Provider metadata
...
.
...
2. Syntax
The following URI is used as the attribute value for the Entity Category and Entity Category Support attribute: http://refeds.org/category/research-and-scholarship
5. Attribute Request
Service Providers SHOULD request a subset of R&S Category Attributes that represent only those attributes that the Service Provider requires to operate its service.
An Identity Provider is REQUIRED to release a persistent, non-reassigned, non-targeted identifier to a given R&S Service Provider if and only if one or more of eduPersonPrincipalName
, eduPersonUniqueId
, or eduPersonTargetedID
is listed in SP metadata. Beyond that, an Identity Provider is NOT REQUIRED to release a given R&S attribute unless that attribute is listed in Service Provider metadata.
Any other attribute listed in Service Provider metadata is out of scope with respect to this specification.
6. Attribute Release
Identity Providers are strongly encouraged to release the following bundle of attributes to R&S category Service Providers:
...
For the purposes of access control, a non-reassigned persistent identifier is required. If your deployment of eduPersonPrincipalName is non-reassigned, it will suffice. Otherwise you MUST release eduPersonTargetedID (which is non-reassigned by definition) in addition to eduPersonPrincipalName. In any case, release of both identifiers is RECOMMENDED.
7. Examples
Standard entity attribute for R&S Service Providers:
<EntityDescriptor xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
entityID=”https://service.example.com/sp”>
<Extensions xmlns:mdattr=”urn:oasis:names:tc:SAML:metadata:attribute”>
<mdattr:EntityAttributes xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>
<saml:Attribute
Name=”http://macedir.org/entity-category”
NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship>
</saml:Attribute>
</mdattr:EntityAttributes>
</Extensions>
…
</EntityDescriptor>
Standard entity attribute for R&S Identity Providers:
<EntityDescriptor xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
entityID=”https://service.example.com/idp”>
<Extensions xmlns:mdattr=”urn:oasis:names:tc:SAML:metadata:attribute”>
<mdattr:EntityAttributes xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>
<saml:Attribute
Name=”http://macedir.org/entity-category-support”
NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship> </saml:Attribute>
</mdattr:EntityAttributes>
</Extensions>
…
</EntityDescriptor>