6. Attribute Release
An Identity Provider supports the Research & Scholarship (R&S) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all conforming R&S Service Providers without administrative involvement, either automatically or subject to user consent.
The R&S attribute bundle consists of the following attributes:
- persistent, non-reassigned, non-targeted identifier
mail
displayName
givenName
sn
(surname)
where a persistent, non-reassigned, non-targeted identifier is defined to be any one of the following:
eduPersonPrincipalName
(if non-reassigned)eduPersonUniqueId
eduPersonPrincipalName
+eduPersonUniqueId
eduPersonPrincipalName
+eduPersonTargetedID
An Identity Provider that supports the R&S category MUST be willing and able to release all R&S attributes to any conforming R&S Service Provider.
An Identity Provider MUST release R&S attributes upon request, in one of two ways:
- By unconditionally releasing the complete R&S attribute bundle; OR
- By conditionally releasing attributes from the R&S attribute bundle based on the
<md:RequestedAttribute>
elements in Service Provider metadata, regardless of whether the optionalisRequired
XML attribute is (or is not) present.
An Identity Provider is REQUIRED to release a persistent, non-reassigned, non-targeted identifier to a given R&S Service Provider if and only if one or more of eduPersonPrincipalName
, eduPersonUniqueId
, or eduPersonTargetedID
is listed in SP metadata. Beyond that, an Identity Provider is NOT REQUIRED to release a given R&S attribute unless that attribute is listed in Service Provider metadata.
Any other attribute listed in Service Provider metadata is out of scope with respect to this specification.
6. Attribute Release
Identity Providers are strongly encouraged to release the following bundle of attributes to R&S category Service Providers:
personal identifiers: email address, person name, eduPersonPrincipalName.
pseudonymous identifier: eduPersonTargetedID.
affiliation: eduPersonScopedAffiliation.
Where email address refers to the mail attribute and person name refers to displayName and optionally givenName and sn (i.e., surname).
An Identity Provider supports the R&S Category if, for some subset of the Identity Provider’s user population, the Identity Provider releases a minimal subset of the R&S attribute bundle to R&S Service Providers without administrative involvement, either automatically or subject to user consent. The following attributes constitute a minimal subset of the R&S attribute bundle:
eduPersonPrincipalName
mail
displayName OR (givenName AND sn)
For the purposes of access control, a non-reassigned persistent identifier is required. If your deployment of eduPersonPrincipalName is non-reassigned, it will suffice. Otherwise you MUST release eduPersonTargetedID (which is non-reassigned by definition) in addition to eduPersonPrincipalName. In any case, release of both identifiers is RECOMMENDED.