Versions Compared

Old Version 5

changes.mady.by.user Thomas Lenggenhager

Saved on

compared with

New Version 6

changes.mady.by.user Tom Scavo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

An Identity Provider supports the Research & Scholarship (R&S) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all conforming R&S Service Providers without administrative involvement, either automatically or subject to user consent.

The R&S attribute bundle consists of the following attributes:

  • persistent, non-reassigned, non-targeted identifier
  • eduPersonPrincipalName
  • eduPersonUniqueId
  • mail
  • displayName
  • givenName
  • sn (surname)
  • eduPersonScopedAffiliation

Any other attribute listed in Service Provider metadata is out of scope with respect to this specification.

where a persistent, non-reassigned, non-targeted identifier is defined to be any one of the following:

  1. eduPersonPrincipalName (if non-reassigned)
  2. eduPersonUniqueId
  3. eduPersonPrincipalNameeduPersonUniqueId
  4. eduPersonPrincipalNameeduPersonTargetedID

 An Identity Provider that supports the R&S category MUST be willing and able to release all R&S attributes to all any conforming R&S Service Providers. The only exception is the eduPersonUniqueId attribute: If the Identity Provider’s deployment of eduPersonPrincipalName is non-reassigned, release of eduPersonUniqueId is strictly OPTIONALProvider.

An Identity Provider MUST release R&S attributes upon request, in one of two ways:

  1. By unconditionally releasing the complete R&S attribute bundle to all R&S Service Providers; OR
  2. By conditionally releasing attributes from the R&S attribute bundle based on the <md:RequestedAttribute> elements in Service Provider metadata, regardless of whether the optional isRequired XML attribute is (or is not) present.

The following practice should be followed for persistent identifiers:

  • If a Service Provider lists the eduPersonPrincipalName attribute in metadata, and the Identity Provider's deployment of eduPersonPrincipalName allows for reassignment, then the Identity Provider MUST release both eduPersonPrincipalName and eduPersonUniqueId to the Service Provider regardless of whether eduPersonUniqueId is listed in metadata.

  • If a Service Provider lists the eduPersonUniqueId attribute in metadata, and the Identity Provider’s deployment of eduPersonPrincipalName is non-reassigned, the release of eduPersonUniqueId is OPTIONAL despite its being listed in metadata.

An Identity Provider is REQUIRED to release a persistent, non-reassigned, non-targeted identifier to a given R&S Service Provider if and only if one or more of eduPersonPrincipalName, eduPersonUniqueId, or eduPersonTargetedID is listed in SP metadata. Beyond that, an Identity Provider is NOT REQUIRED to release a given R&S attribute unless that attribute is listed in Service Provider metadata.

Any other attribute listed in Service Provider metadata is out of scope with respect to this specification. 

...

 

6. Attribute Release

Identity Providers are strongly encouraged to release the following bundle of attributes to R&S category Service Providers:

...