5. Attribute Bundle
Conceptually, the R&S attribute bundle consists of the following three attributes:
- non-private user identifier
- person name
- email address
Technically, a non-private user identifier is a persistent, non-reassigned, non-targeted identifier defined to be any one of the following:
eduPersonUniqueId
eduPersonPrincipalName
(if non-reassigned)eduPersonPrincipalName
+eduPersonTargetedID
Likewise, person name is defined to be any one of the following:
displayName
givenName
+sn
(surname)
Finally, an email address is synonymous with the mail
attribute.
6. Attribute Request
If a Service Provider requests a particular R&S attribute, the Identity Provider is REQUIRED to release it. Thus one or more R&S attributes MUST be listed in Service Provider metadata, otherwise the Identity Provider may release nothing at all.
If a Service Provider requests an R&S attribute in metadata, that attribute MUST be required to operate the service. Thus an R&S attribute requested in metadata MUST NOT be decorated with isRequired="false"
. Beyond that, the use of the isRequired
XML attribute on any <md:RequestedAttribute>
element in metadata is unspecified.
7. Attribute Release
An Identity Provider supports the Research & Scholarship (R&S) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all conforming R&S Service Providers without administrative involvement, either automatically or subject to user consent.
An Identity Provider MUST release R&S attributes to any conforming R&S Service Provider upon request, in one of two ways:
- By unconditionally releasing the complete R&S attribute bundle; OR
- By filtering attributes from the R&S attribute bundle based on the
<md:RequestedAttribute>
elements in Service Provider metadata, regardless of whether the optionalisRequired
XML attribute is (or is not) present.
An Identity Provider is NOT REQUIRED to release the non-private user identifier attribute to a given R&S Service Provider unless one or more of eduPersonUniqueId
, eduPersonPrincipalName
, or eduPersonTargetedID
is requested in Service Provider metadata, without regard for the isRequired
XML attribute. Similarly, an Identity Provider is NOT REQUIRED to release the person name attribute to a given R&S Service Provider unless one or more of displayName
, givenName
, or sn
(surname) is requested in Service Provider metadata, without regard for the isRequired
XML attribute. Finally, an Identity Provider is NOT REQUIRED to release the email address attribute unless the mail
attribute is requested in Service Provider metadata, without regard for the isRequired
XML attribute.
Any other attribute listed in Service Provider metadata is out of scope with respect to this specification.
8. Examples
TBD
5. Attribute Request
Service Providers SHOULD request a subset of R&S Category Attributes that represent only those attributes that the Service Provider requires to operate its service.
6. Attribute Release
Identity Providers are strongly encouraged to release the following bundle of attributes to R&S category Service Providers:
personal identifiers: email address, person name, eduPersonPrincipalName.
pseudonymous identifier: eduPersonTargetedID.
affiliation: eduPersonScopedAffiliation.
Where email address refers to the mail attribute and person name refers to displayName and optionally givenName and sn (i.e., surname).
An Identity Provider supports the R&S Category if, for some subset of the Identity Provider’s user population, the Identity Provider releases a minimal subset of the R&S attribute bundle to R&S Service Providers without administrative involvement, either automatically or subject to user consent. The following attributes constitute a minimal subset of the R&S attribute bundle:
eduPersonPrincipalName
mail
displayName OR (givenName AND sn)
For the purposes of access control, a non-reassigned persistent identifier is required. If your deployment of eduPersonPrincipalName is non-reassigned, it will suffice. Otherwise you MUST release eduPersonTargetedID (which is non-reassigned by definition) in addition to eduPersonPrincipalName. In any case, release of both identifiers is RECOMMENDED.
7. Examples
Standard entity attribute for R&S Service Providers:
<EntityDescriptor xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
entityID=”https://service.example.com/sp”>
<Extensions xmlns:mdattr=”urn:oasis:names:tc:SAML:metadata:attribute”>
<mdattr:EntityAttributes xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>
<saml:Attribute
Name=”http://macedir.org/entity-category”
NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship>
</saml:Attribute>
</mdattr:EntityAttributes>
</Extensions>
…
</EntityDescriptor>
Standard entity attribute for R&S Identity Providers:
<EntityDescriptor xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
entityID=”https://service.example.com/idp”>
<Extensions xmlns:mdattr=”urn:oasis:names:tc:SAML:metadata:attribute”>
<mdattr:EntityAttributes xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>
<saml:Attribute
Name=”http://macedir.org/entity-category-support”
NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship> </saml:Attribute>
</mdattr:EntityAttributes>
</Extensions>
…
</EntityDescriptor>