- Created by Albert Wu (internet2.edu), last modified on May 11, 2020
Jump to:
This article describes mechanics of tagging an entity in SAML metadata. See Research and Scholarship category for an introduction.
To register your entity for Research and Scholarship (R&S) category, see:
For identity provider
Support Research and Scholarship category in identity provider
For service provider
Apply for Research and Scholarship category for service provider
The http://refeds.org/category/research-and-scholarship
entity attribute expresses qualification or support for the Research & Scholarship (R&S) entity category, service providers (SP) and identity providers (IdP) in the SAML metadata. Because of the semantic differences (an IdP "supports" R&S, where as a SP "qualifies" for R&S), the entity attribute is placed in slightly different places in the metadata:
Tagging a service provider
A service provider satisfying the requirements of the REFEDS R&S Entity category qualifies for, or is a member of the Research and Scholarship entity category. In SAML metadata, this is expressed by adding a <saml:Attribute> name value pair with the attribute name of http://macedir.org/entity-category
and attribute value of http://refeds.org/category/research-and-scholarship
to the SP's metadata.
The semantics of entity attribute names are specified in The Entity Category SAML Entity Metadata Attribute Type (draft-macedir-entity-attribute-00.xml).
For backwards compatibility, an R&S SP also carries the legacy InCommon-only R&S entity attribute value (http://id.incommon.org/category/research-and-scholarship
). Every InCommon registered R&S SP has the following multivalued entity attribute in metadata:
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"> <!-- multivalued entity attribute for R&S SPs --> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category"> <!-- the incommon.org R&S entity attribute value --> <saml:AttributeValue> http://id.incommon.org/category/research-and-scholarship </saml:AttributeValue> <!-- the refeds.org R&S entity attribute value --> <saml:AttributeValue> http://refeds.org/category/research-and-scholarship </saml:AttributeValue> </saml:Attribute> </mdattr:EntityAttributes>
Legacy InCommon-only R&S entity attribute is not exported to eduGAIN
In addition to being deprecated, the http://id.incommon.org/category/research-and-scholarship
entity attribute value was only used in the InCommon Federation. It is filtered and excluded from SP metadata exported to eduGAIN. Only the REFEDS R&S entity attribute value is exported to eduGAIN.
Managing the SP R&S entity attribute
The InCommon Federation operator is the registration authority responsible for tagging qualifying SP's with R&S entity attribute. Other than qualifying and applying for Research and Scholarship category for service provider, there is nothing an SP operator needs to do to manage this entity attribute.
Tagging an identity provider
A identity provider (IdP) satisfying the requirements of the REFEDS R&S entity category is said to "support" Research and Scholarship entity category. In SAML metadata, this is expressed by adding a <saml:Attribute> name value pair with the attribute name of http://macedir.org/entity-category-support
and attribute value of http://refeds.org/category/research-and-scholarship
to the SP's metadata.
An IdP asserting the REFEDS R&R entity attribute value agrees to release the R&S attribute bundle to all R&S SPs, including R&S SPs in other federations.
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"> <!-- entity attribute for IdPs that support R&S SPs globally --> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category-support"> <!-- the refeds.org R&S entity attribute value --> <saml:AttributeValue> http://refeds.org/category/research-and-scholarship </saml:AttributeValue> </saml:Attribute> </mdattr:EntityAttributes>
Legacy InCommon-only R&S entity attribute
A deprecated, InCommon-only R&S entity attribute (http://id.incommon.org/category/research-and-scholarship)
expresses similar support for R&S attribute release, but only to to R&S SPs registered by InCommon only.
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"> <!-- entity attribute for IdPs that support R&S SPs registered by InCommon --> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category-support"> <!-- the incommon.org R&S entity attribute value --> <saml:AttributeValue> http://id.incommon.org/category/research-and-scholarship </saml:AttributeValue> </saml:Attribute> </mdattr:EntityAttributes>
Although it is exported to eduGAIN in an IdP's metadata, the InCommon-only R&S entity attribute value has no recognized meaning outside the InCommon Federation. Only IdPs that release attributes to all R&S SPs globally and tagged with the REFEDS R&S entity attribute value are recognized as R&S IdPs by the international R&E community.
Syntax implications
The R&S entity attribute in IdP metadata is single-valued, whic means an IdP can only support one R&S entity attribute (either REFEDS or InCommon-only) at a time. This decision affects service providers.
An SP that depends on the R&S entity attribute in IdP metadata must take into account the fact that an R&S IdP will carry either the InCommon-only R&S entity attribute or the REFEDS R&S entity attribute but not both.
To maintain backward compatibility during transition to use the global (REFEDS) R&S entity attribute, the InCommon Federation automatically tags its registered R&S SP with both values so that InCommon Federation registered R&S SP automatically receives attributes from either type of R&S IdP.
In other words, if an SP deployment is configured to recognize the incommon.org R&S tag in IdP metadata, it should be configured to recognize the refeds.org R&S tag as well.
Managing the IdP R&S entity attribute
The IdP owner is authoritative for the R&S entity attribute. An IdP indicates its willingness and ability to support R&S following steps outlined in Identity provider - support Research and Scholarship.
Further Reading
The Entity Category SAML Entity Metadata Attribute Type (draft-macedir-entity-attribute-00.xml)
REFEDS Research and Scholarship entity category specification
Identity provider - support Research and Scholarship
Service provider - apply for Research and Scholarship category
Comparing REFEDS and InCommon-only R and S categories
Related content
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
Get help
Can't find what you are looking for?