Versions Compared

Old Version 55

changes.mady.by.user Albert Wu (internet2.edu)

Saved on

compared with

New Version 56

changes.mady.by.user Albert Wu (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space federationedit and version 2.11

Jump to: 

Table of Contents
maxLevel1
exclude(On this page)|(In this section)|(Related content)|(Get help)
typeflat
separatorpipe

This article describes mechanics of tagging an entity in SAML metadata. See Research and Scholarship category for an introduction.

To register your entity for Research and Scholarship (R&S) category, see:

For identity provider
Support Research and Scholarship category in identity provider

For service provider
Apply for Research and Scholarship category for service provider  


The http://refeds.org/category/research-and-scholarship entity attribute expresses qualification or support for the Research & Scholarship (R&S) entity category, service providers (SP) and identity providers (IdP) in the SAML metadata. Because of the semantic differences (an IdP "supports" R&S, where as a SP "qualifies" for R&S), the entity attribute is placed in slightly different places in the metadata:

Tagging a service provider

A service provider satisfying the requirements of the REFEDS R&S Entity category qualifies for, or is a member of the Research and Scholarship entity category. In SAML metadata, this is expressed by adding a <saml:Attribute> name value pair with the attribute name of http://macedir.org/entity-category and attribute value of http://refeds.org/category/research-and-scholarship to the SP's metadata.

The semantics of entity attribute names are specified in The Entity Category SAML Entity Metadata Attribute Type (draft-macedir-entity-attribute-00.xml).

For backwards compatibility, an R&S SP also carries the legacy InCommon-only R&S entity attribute value (http://id.incommon.org/category/research-and-scholarship). Every InCommon registered R&S SP has the following multivalued entity attribute in metadata:

Code Block
languagexml
themeConfluence
titleA multivalued entity attribute for R&S SPs
<mdattr:EntityAttributes  
        xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- multivalued entity attribute for R&amp;S SPs -->
  <saml:Attribute
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
        Name="http://macedir.org/entity-category">
     <!-- the incommon.org R&amp;S entity attribute value -->
     <saml:AttributeValue>
        http://id.incommon.org/category/research-and-scholarship
     </saml:AttributeValue>
     <!-- the refeds.org R&amp;S entity attribute value -->
     <saml:AttributeValue>
        http://refeds.org/category/research-and-scholarship
     </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>
Info
titleLegacy InCommon-only R&S entity attribute is not exported to eduGAIN

In addition to being deprecated, the http://id.incommon.org/category/research-and-scholarship entity attribute value was only used in the InCommon Federation. It is filtered and excluded from SP metadata exported to eduGAIN. Only the REFEDS R&S entity attribute value is exported to eduGAIN.

Managing the SP R&S entity attribute

The InCommon Federation operator is the registration authority responsible for tagging qualifying SP's with R&S entity attribute. Other than qualifying and applying for Research and Scholarship category for service provider, there is nothing an SP operator needs to do to manage this entity attribute.

Tagging an identity provider 

A identity provider (IdP) satisfying the requirements of the REFEDS R&S entity category is said to "support" Research and Scholarship entity category. In SAML metadata, this is expressed by adding a <saml:Attribute> name value pair with the attribute name of http://macedir.org/entity-category-support and attribute value of http://refeds.org/category/research-and-scholarship to the SP's metadata. 

An IdP asserting the REFEDS R&R entity attribute value agrees to release the R&S attribute bundle to all R&S SPs, including R&S SPs in other federations.

Code Block
languagexml
themeConfluence
titleAn entity attribute for IdPs that support all R&S SPs globally
<mdattr:EntityAttributes      
        xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
   <!-- entity attribute for IdPs that support R&amp;S SPs globally -->
   <saml:Attribute
         xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
         NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
         Name="http://macedir.org/entity-category-support">
      <!-- the refeds.org R&amp;S entity attribute value -->
      <saml:AttributeValue>
          http://refeds.org/category/research-and-scholarship
      </saml:AttributeValue>
   </saml:Attribute>
</mdattr:EntityAttributes>

Legacy InCommon-only R&S entity attribute

A deprecated, InCommon-only R&S entity attribute (http://id.incommon.org/category/research-and-scholarship)expresses similar support for R&S attribute release, but only to to R&S SPs registered by InCommon only. 

Code Block
titleAn entity attribute for IdPs that support R&S SPs registered by InCommon only
<mdattr:EntityAttributes 
        xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
    <!-- entity attribute for IdPs that support R&amp;S SPs 
         registered by InCommon -->
    <saml:Attribute
          xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
          Name="http://macedir.org/entity-category-support">
       <!-- the incommon.org R&amp;S entity attribute value -->
       <saml:AttributeValue>
           http://id.incommon.org/category/research-and-scholarship
       </saml:AttributeValue>
    </saml:Attribute>
</mdattr:EntityAttributes>

Although it is exported to eduGAIN in an IdP's metadata, the InCommon-only R&S entity attribute value has no recognized meaning outside the InCommon Federation. Only IdPs that release attributes to all R&S SPs globally and tagged with the REFEDS R&S entity attribute value are recognized as R&S IdPs by the international R&E community.

Syntax implications

The R&S entity attribute in IdP metadata is single-valued, whic means an IdP can only support one R&S entity attribute (either REFEDS or InCommon-only) at a time. This decision affects service providers.

An SP that depends on the R&S entity attribute in IdP metadata must take into account the fact that an R&S IdP will carry either the InCommon-only R&S entity attribute or the REFEDS R&S entity attribute but not both.

To maintain backward compatibility during transition to use the global (REFEDS) R&S entity attribute, the InCommon Federation automatically tags its registered R&S SP with both values so that InCommon Federation registered R&S SP automatically receives attributes from either type of R&S IdP.   

In other words, if an SP deployment is configured to recognize the incommon.org R&S tag in IdP metadata, it should be configured to recognize the refeds.org R&S tag as well.

Managing the IdP R&S entity attribute

The IdP owner is authoritative for the R&S entity attribute. An IdP indicates its willingness and ability to support R&S following steps outlined in Identity provider - support Research and Scholarship.

Further Reading

The Entity Category SAML Entity Metadata Attribute Type (draft-macedir-entity-attribute-00.xml)

REFEDS Research and Scholarship entity category specification 

Identity provider - support Research and Scholarship

Service provider - apply for Research and Scholarship category

Research and Scholarship FAQ

Comparing REFEDS and InCommon-only R and S categories


Related content

Content by Label
showLabelsfalse
max10
showSpacefalse
cqllabel in ("entity-category","r-and-s") and space = "federation"

Get help

Can't find what you are looking for?

Button Hyperlink
iconhelp
titleAsk the community
typeprimary
urlask-the-community