Attribute Release Requirements

2. Syntax

The following URI is used as the attribute value for the Entity Category and Entity Category Support attribute:

http://refeds.org/category/research-and-scholarship

A Service Provider that conforms to R&S exhibits the following entity attribute in its metadata:

<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- entity attribute for SPs that conform to R&amp;S -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category-support">
    <!-- the refeds.org R&amp;S entity attribute value -->
    <saml:AttributeValue>
      http://refeds.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

An Identity Provider that supports R&S self-asserts the following entity attribute in its metadata:

<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- entity attribute for IdPs that support R&amp;S -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category-support">
    <!-- the refeds.org R&amp;S entity attribute value -->
    <saml:AttributeValue>
      http://refeds.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

5. Attribute Bundle

The R&S attribute bundle consists of the following attributes:

• refedsNonPrivateUserID: a non-private user identifier
• refedsPersonName: a person name
• refedsEmailAddress: an email address

These attributes are "above-the-wire" attributes intended solely to facilitate attribute release. See: REFEDS Attribute Registry

6. Attribute Request

If a Service Provider requests an R&S attribute, the Identity Provider is REQUIRED to release it. Thus one or more R&S attributes MUST be listed in Service Provider metadata, otherwise the Identity Provider may release nothing at all.

Service Providers SHOULD request a subset of R&S attributes that represent only those attributes that the Service Provider requires to operate its service. Such an R&S attribute requested in metadata MUST NOT be decorated with isRequired="false".

7. Attribute Release

An Identity Provider supports the Research & Scholarship (R&S) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all conforming R&S Service Providers without administrative involvement, either automatically or subject to user consent.

An Identity Provider MUST release R&S attributes to any conforming R&S Service Provider upon request, in one of two ways:

1. By unconditionally releasing the complete R&S attribute bundle; OR
2. By filtering attributes from the R&S attribute bundle based on the <md:RequestedAttribute> elements in Service Provider metadata, regardless of whether the optional isRequired XML attribute is (or is not) present.

An Identity Provider is NOT REQUIRED to release an R&S attribute to a given R&S Service Provider unless that attribute is requested in Service Provider metadata. Conversely, an Identity Provider that supports the R&S category MUST release the attributes shown below upon request from the Service Provider:

 All other attributes listed in Service Provider metadata are out of scope with respect to this specification.

8. Examples

Example 1. The R&S Service Provider requests refedsNonPrivateUserID, refedsPersonName, and refedsEmailAddress in metadata.

An Identity Provider that supports R&S releases the full R&S bundle (refedsNonPrivateUserID, refedsPersonName, and refedsEmailAddress).

Example 2. The R&S Service Provider requests eduPersonUniqueId, displayName, and mail in metadata.

An Identity Provider that supports R&S releases the full R&S bundle (refedsNonPrivateUserID, refedsPersonName, and refedsEmailAddress). Compare with the previous example.

Example 3. The R&S Service Provider requests refedsNonPrivateUserID and refedsEmailAddress in metadata.

An Identity Provider that supports R&S releases at least refedsNonPrivateUserID and refedsEmailAddress. Some Identity Providers will release refedsPersonName as well. Presumably this latter group of Identity Providers do not filter on requested attributes in metadata.

Example 4. The R&S Service Provider requests refedsEmailAddress in metadata.

An Identity Provider that supports R&S releases at least the refedsEmailAddress attribute. Some Identity Providers, even those that filter on requested attributes in metadata, may release refedsNonPrivateUserID as well.

Example 5. The R&S Service Provider requests refedsUserID in metadata.

An Identity Provider that supports R&S releases at least the refedsNonPrivateUserID attribute. Other Identity Providers may release any persistent, non-reassigned user identifier, including refedsPrivateUserID (i.e., eduPersonTargetedID) but this is out of scope with respect to this specification.

2. Syntax

The following URI is used as the attribute value for the Entity Category and Entity Category Support attribute: http://refeds.org/category/research-and-scholarship

5. Attribute Request

Service Providers SHOULD request a subset of R&S Category Attributes that represent only those attributes that the Service Provider requires to operate its service.

6. Attribute Release

Identity Providers are strongly encouraged to release the following bundle of attributes to R&S category Service Providers:

• personal identifiers: email address, person name, eduPersonPrincipalName.

• pseudonymous identifier: eduPersonTargetedID.

• affiliation: eduPersonScopedAffiliation.

Where email address refers to the mail attribute and person name refers to displayName and optionally givenName and sn (i.e., surname).

An Identity Provider supports the R&S Category if, for some subset of the Identity Provider’s user population, the Identity Provider releases a minimal subset of the R&S attribute bundle to R&S Service Providers without administrative involvement, either automatically or subject to user consent. The following attributes constitute a minimal subset of the R&S attribute bundle:

• eduPersonPrincipalName

• mail

• displayName OR (givenName AND sn)

For the purposes of access control, a non-reassigned persistent identifier is required. If your deployment of eduPersonPrincipalName is non-reassigned, it will suffice. Otherwise you MUST release eduPersonTargetedID (which is non-reassigned by definition) in addition to eduPersonPrincipalName. In any case, release of both identifiers is RECOMMENDED.

7. Examples

Standard entity attribute for R&S Service Providers:

<EntityDescriptor xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
entityID=”https://service.example.com/sp”>
<Extensions xmlns:mdattr=”urn:oasis:names:tc:SAML:metadata:attribute”>
<mdattr:EntityAttributes xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>
<saml:Attribute
Name=”http://macedir.org/entity-category”
NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship>
</saml:Attribute>
</mdattr:EntityAttributes>
</Extensions>
…
</EntityDescriptor>

Standard entity attribute for R&S Identity Providers:

<EntityDescriptor xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
entityID=”https://service.example.com/idp”>
<Extensions xmlns:mdattr=”urn:oasis:names:tc:SAML:metadata:attribute”>
<mdattr:EntityAttributes xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>
<saml:Attribute
Name=”http://macedir.org/entity-category-support”
NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship> </saml:Attribute>
</mdattr:EntityAttributes>
</Extensions>
…
</EntityDescriptor>