You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

This document is an attempt to clarify the R&S specification to address issues that have arisen in its initial deployment by federations, particularly confusion over its relationship to other, unrelated mechanisms and regimes for attribute release faciliation.

While it represents a perception of some mild consensus on the REFEDS list, it currently should be viewed as the author's opinion, pending further review.

Summary of Changes

Minor wording clarifications and larger explicit clarifications addressing points of apparent differing practice are included in green.

Suggested deletions of requirements that have led to confusion and differing practice are struck through.

The author believes the changes made would not cause any existing SP claiming the category to become unable to do so. It is a given based on discussion on the list that some IdPs claiming the category would become unable to do so.

Overview

Research and Education Federations are invited to use the REFEDS Research and Scholarship Entity Category with their members to support the release of attributes to Service Providers meeting the requirements described below.

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119 [RFC2119]. This definition is written in compliance with the Entity Category SAML Entity Metadata Attribute Types specification [EntityCatTypes].

An FAQ for the Entity Category has been made available to help deployments [R&SFAQ].

1. Definition

Candidates for the Research and Scholarship (R&S) Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part.

Example Service Providers may include (but are not limited to) collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. This Entity Category should not be used for access to licensed content such as e-journals.

2. Syntax

The following URI is used as the attribute value for the Entity Category and Entity Category Support attribute:

http://refeds.org/category/research-and-scholarship

Refer to Section 8 for usage examples.

3. Semantics

By asserting a Service Provider to be a member of an Entity Category, a registrar claims that:

  • 3.1 The Service Provider has applied for membership in the Category and complies with the R&S registration criteria.
  • 3.2 The Service Provider’s application for R&S has been reviewed and approved by the registrar.

In possessing the Entity Category Attribute with the above value, a Service Provider claims that it will not use attributes for purposes that fall outside of the service definition.

In possessing the Entity Category Support Attribute with the above value, an Identity Provider claims that it will release attributes to R&S Service Providers as outlined in the “Attribute Release” section below.

4. Registration Criteria

When a Service Provider’s registrar (normally the Service Provider’s home federation) registers the Service Provider in the Entity Category, the registrar MUST perform at least the following checks:

  • 4.1 The service enhances the research and scholarship activities of some subset of the registrar’s user community.
  • 4.2 Service metadata has been submitted to the registrar and published in the registrar’s public metadata aggregate made available for public consumption.
  • 4.3 The service meets the following technical requirements:
    • 4.3.1 The Service Provider is a production SAML deployment that supports SAML V2.0 HTTP-POST binding.
    • 4.3.2 The Service Provider claims to refresh federation metadata at least daily.
    • 4.3.3 The Service Provider provides an mdui:DisplayName and mdui:InformationURL in metadata.
    • 4.3.4 The Service Provider provides one or more technical contacts in metadata.
    • 4.3.5 The Service Provider provides requested attributes in metadata.

R&S Service Providers MUST resolve issues of non-compliance within a reasonable period of time from when they become aware of the issue. Failure to do so MUST result in revocation of the entity’s membership in the R&S category.

5. Attribute Bundle

The mechanism by which this entity category provides for consistent attribute release is through the definition of a set of commonly supported and consumed attributes typically required for effective use of R&S services. The attributes chosen represent a privacy baseline such that further minimization achieves no particular benefit to a user. Thus, the minimal disclosure principle is already designed into the category.

This approach is orthogonal to the practice of attempting to enumerate the specific attributes needed by a service, debate over whether those attributes are actually required or not, and the complexity inherent in attempting to curate and communicate them. Specifically, the use of the <md:RequestedAttribute> mechanism supported by SAML metadata is outside the scope of this category, and may co-exist with it in deployments as desired, subject to this specification's requirements being met.

The R&S attribute bundle consists (abstractly) of the following data elements:

  • shared user identifier
  • person name
  • email address
  • affiliation

where shared user identifier is a persistent, non-reassigned, non-targeted identifier defined to be any one of the following:

  1. eduPersonPrincipalName (if non-reassigned)
  2. eduPersonPrincipalName + eduPersonTargetedID

and where person name is defined to be either (or both) of the following:

  1. displayName
  2. givenName + sn

and where email address is defined to be the mail attribute,

and where affiliation is defined to be the eduPersonScopedAffiliation attribute.

6. Service Provider Attribute Requirements

Service Providers SHOULD request a subset of R&S Category Attributes that represent only those attributes that the Service Provider requires to operate its service.

Service Providers SHOULD limit their data requirements to the bundle of attributes defined in Section 5, but MAY negotiate for additional data as required via mechanisms that are outside the scope of this specification.

7. Identity Provider Attribute Release

Identity Providers are strongly encouraged to release the bundle defined in Section 5 to R&S category Service Providers.

 

An Identity Provider indicates support for the R&S Category by exhibiting the R&S entity attribute in its metadata. Such an Identity Provider MUST, for a significant subset of its user population, release the minimal subset of the R&S attribute bundle (described below) to R&S Service Providers without administrative involvement by any party, either automatically or subject to user consent.

 

The following attributes constitute the minimal subset of the R&S attribute bundle:

 

  • eduPersonPrincipalName

  • mail

  • displayName OR (givenName AND sn)

 

For the purposes of effective access control, A persistent, non-reassigned, non-targeted identifier is REQUIRED. If the Identity Provider’s deployment of eduPersonPrincipalName is non-reassigned, it will suffice. Otherwise the Identity Provider MUST release eduPersonTargetedID (which is non-reassigned by definition) in addition to eduPersonPrincipalName. In any case, release of both identifiers is RECOMMENDED. Likewise the release of all three person name attributes (displayName, givenName, sn) is also RECOMMENDED.

An Identity Provider that releases a smaller subset of the R&S attribute bundle, for any reason, SHALL NOT claim support for this category, that is, the Identity Provider SHALL NOT exhibit the R&S entity attribute in its metadata. Exceptions for specific Service Providers may apply in the event of a security incident or other isolated circumstances.

8. Examples

A Service Provider that conforms to R&S would exhibit the following EntityAttribute in SAML metadata:

An entity attribute for SPs that conform to R&S
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- entity attribute for SPs that conform to R&amp;S -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category-support">
    <!-- the refeds.org R&amp;S entity attribute value -->
    <saml:AttributeValue>
      http://refeds.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

An Identity Provider that supports R&S would exhibit the following EntityAttribute in SAML metadata:

An entity attribute for IdPs that support R&S
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- entity attribute for IdPs that support R&amp;S -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category-support">
    <!-- the refeds.org R&amp;S entity attribute value -->
    <saml:AttributeValue>
      http://refeds.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

 

 

  • No labels