You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

The following draft text is for discussion only! For comparison, the official normative text is shown below the horizontal line.

6. Attribute Release

An Identity Provider supports the R&S category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all R&S Service Providers without administrative involvement, either automatically or subject to user consent. The R&S attribute bundle consists of the following attributes:

  • eduPersonPrincipalName

  • eduPersonUniqueId

  • mail

  • displayName

  • givenName

  • sn (surname)

An Identity Provider that supports the R&S category MUST be willing and able to release all R&S attributes to all R&S Service Providers. The only exception is the eduPersonUniqueId attribute: If the Identity Provider’s deployment of eduPersonPrincipalName is non-reassigned, release of eduPersonUniqueId is strictly OPTIONAL.

An Identity Provider MUST release R&S attributes upon request, in one of two ways:

  1. By unconditionally releasing the complete R&S attribute bundle to all R&S SPs; OR
  2. By conditionally releasing attributes based on the <md:RequestedAttribute> elements in Service Provider metadata.

As suggested above, a sufficiently capable IdP deployment MAY optimize attribute release based on the <md:RequestedAttribute> elements in Service Provider metadata.

The following practice should be followed for persistent identifiers:

  • If a Service Provider lists the eduPersonPrincipalName attribute in metadata, and the Identity Provider's deployment of eduPersonPrincipalName allows for reassignment, then the Identity Provider MUST release both eduPersonPrincipalName and eduPersonUniqueId to the Service Provider regardless of whether eduPersonUniqueId is listed in metadata.

  • If a Service Provider lists the eduPersonUniqueId attribute in metadata, and the Identity Provider’s deployment of eduPersonPrincipalName is non-reassigned, the release of eduPersonUniqueId is OPTIONAL despite its being listed in metadata.

Any non-R&S bundle attribute listed in Service Provider metadata is out of scope with respect to this specification.

An Identity Provider MUST NOT require the isRequired XML attribute to be present on any given requested R&S attribute in Service Provider metadata. That is, an Identity Provider that supports the R&S category MUST be able meet the requirements of this specification regardless of whether the isRequired XML attribute is (or is not) present on any given requested R&S attribute in Service Provider metadata.

 


 

6. Attribute Release

Identity Providers are strongly encouraged to release the following bundle of attributes to R&S category Service Providers:

  • personal identifiers: email address, person name, eduPersonPrincipalName.

  • pseudonymous identifier: eduPersonTargetedID.

  • affiliation: eduPersonScopedAffiliation.

Where email address refers to the mail attribute and person name refers to displayName and optionally givenName and sn (i.e., surname).

An Identity Provider supports the R&S Category if, for some subset of the Identity Provider’s user population, the Identity Provider releases a minimal subset of the R&S attribute bundle to R&S Service Providers without administrative involvement, either automatically or subject to user consent. The following attributes constitute a minimal subset of the R&S attribute bundle:

  • eduPersonPrincipalName

  • mail

  • displayName OR (givenName AND sn)

For the purposes of access control, a non-reassigned persistent identifier is required. If your deployment of eduPersonPrincipalName is non-reassigned, it will suffice. Otherwise you MUST release eduPersonTargetedID (which is non-reassigned by definition) in addition to eduPersonPrincipalName. In any case, release of both identifiers is RECOMMENDED.

  • No labels