...
The R&S attribute bundle consists of the following three meta-attributes:
- persistent, non-reassigned, non-targeted user identifier
mail
person namedisplayName
givenName
sn
(surname)- email address
where user identifier is an intentionally trackable (where a persistent, non-reassigned, non-targeted) identifier is defined to to be any one of the following:
eduPersonPrincipalName
(if non-reassigned)eduPersonUniqueId
eduPersonPrincipalName
+eduPersonTargetedID
and where person name is defined to be at least one of the following:
displayName
givenName
+sn
(surname)
and where email address is defined to be the mail
attribute.
An Identity Provider MUST release R&S attributes to any conforming R&S Service Provider upon request, in one of two ways:
...
An Identity Provider is NOT REQUIRED to release a persistent, non-reassigned, non-targeted identifier the user identifier meta-attribute to a given R&S Service Provider unless one or more of eduPersonPrincipalName
, eduPersonUniqueId
, or eduPersonTargetedID
is listed requested in Service Provider metadata using <md:RequestedAttribute>
, regardless of the presence or lack of isRequired
, without regard for the isRequired
XML attribute. Similarly, an an Identity Provider is NOT REQUIRED to release any other R&S attribute (mail
, displayName
, givenName
, or sn
) unless that attribute is listed in Service Provider metadata using <md:RequestedAttribute>
, regardless of the presence or lack of isRequired
the person name meta-attribute to a given R&S Service Provider unless one or more of displayName
, givenName
, or sn
(surname) is requested in Service Provider metadata, without regard for the isRequired
XML attribute. Finally, an Identity Provider is NOT REQUIRED to release the email address meta-attribute unless the mail
attribute is requested in Service Provider metadata, without regard for the isRequired
XML attribute.
Any other attribute listed in Service Provider metadata is out of scope with respect to this specification.
...