The following draft text is for discussion only! For comparison, the official normative text is shown below the horizontal line. |
The R&S attribute bundle consists of the following attributes:
refedsNonPrivateUserID
: a non-private user identifierrefedsPersonName
: a person namerefedsEmailAddress
: an email addressThese attributes are "above-the-wire" attributes intended solely to facilitate attribute release. See: REFEDS Attribute Registry
If a Service Provider requests a particular R&S attribute, the Identity Provider is REQUIRED to release it. Thus one or more R&S attributes MUST be listed in Service Provider metadata, otherwise the Identity Provider may release nothing at all.
If a Service Provider requests an R&S attribute in metadata, that attribute MUST be required to operate the service. Thus an R&S attribute requested in metadata MUST NOT be decorated with isRequired="false"
. Beyond that, the use of the isRequired
XML attribute on any <md:RequestedAttribute>
element in metadata is unspecified.
An Identity Provider supports the Research & Scholarship (R&S) category if, for some subset of the Identity Provider’s user population, the Identity Provider is willing and able to release the R&S attribute bundle to all conforming R&S Service Providers without administrative involvement, either automatically or subject to user consent.
An Identity Provider MUST release R&S attributes to any conforming R&S Service Provider upon request, in one of two ways:
<md:RequestedAttribute>
elements in Service Provider metadata, regardless of whether the optional isRequired
XML attribute is (or is not) present.An Identity Provider is NOT REQUIRED to release an R&S attribute to a given R&S Service Provider unless that attribute is requested in Service Provider metadata. In particular, an Identity Provider that supports the R&S category MUST release the attributes shown below upon request from the Service Provider:
requested | released |
---|---|
refedsUserID | refedsNonPrivateUserID |
refedsNonPrivateUserID | refedsNonPrivateUserID |
eduPersonUniqueId | refedsNonPrivateUserID |
refedsPersonName | refedsPersonName |
displayName | refedsPersonName |
refedsEmailAddress | refedsEmailAddress |
mail | refedsEmailAddress |
All other attributes listed in Service Provider metadata are out of scope with respect to this specification.
TBD
Service Providers SHOULD request a subset of R&S Category Attributes that represent only those attributes that the Service Provider requires to operate its service.
Identity Providers are strongly encouraged to release the following bundle of attributes to R&S category Service Providers:
personal identifiers: email address, person name, eduPersonPrincipalName.
pseudonymous identifier: eduPersonTargetedID.
affiliation: eduPersonScopedAffiliation.
Where email address refers to the mail attribute and person name refers to displayName and optionally givenName and sn (i.e., surname).
An Identity Provider supports the R&S Category if, for some subset of the Identity Provider’s user population, the Identity Provider releases a minimal subset of the R&S attribute bundle to R&S Service Providers without administrative involvement, either automatically or subject to user consent. The following attributes constitute a minimal subset of the R&S attribute bundle:
eduPersonPrincipalName
displayName OR (givenName AND sn)
For the purposes of access control, a non-reassigned persistent identifier is required. If your deployment of eduPersonPrincipalName is non-reassigned, it will suffice. Otherwise you MUST release eduPersonTargetedID (which is non-reassigned by definition) in addition to eduPersonPrincipalName. In any case, release of both identifiers is RECOMMENDED.
Standard entity attribute for R&S Service Providers:
<EntityDescriptor xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
entityID=”https://service.example.com/sp”>
<Extensions xmlns:mdattr=”urn:oasis:names:tc:SAML:metadata:attribute”>
<mdattr:EntityAttributes xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>
<saml:Attribute
Name=”http://macedir.org/entity-category”
NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship>
</saml:Attribute>
</mdattr:EntityAttributes>
</Extensions>
…
</EntityDescriptor>
Standard entity attribute for R&S Identity Providers:
<EntityDescriptor xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
entityID=”https://service.example.com/idp”>
<Extensions xmlns:mdattr=”urn:oasis:names:tc:SAML:metadata:attribute”>
<mdattr:EntityAttributes xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion”>
<saml:Attribute
Name=”http://macedir.org/entity-category-support”
NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship> </saml:Attribute>
</mdattr:EntityAttributes>
</Extensions>
…
</EntityDescriptor>