...
InCommon has partnered with its peer R&E federations worldwide to create the Research and Scholarship Entity Category (R&S)
...
| Wiki Markup |
|---|
InCommon is launching a new service to make it easier for participants to provide collaborative services and for faculty, researchers, and scientists \[students?\] to use those services with their federated identities. This service uses categorization of service providers (SPs) to simplify and streamline configuration of identity providers (IdPs) and SPs to work together. The newly defined Research & Scholarship (R&S) category will apply to service providers that support research and scholarly activities such as virtual organizations and campus-based collaboration services. Participating IdPs will agree to release a minimal set of attributes to the R&S category with a one-time addition to their default release policies, a simpler and more scalable approach than negotiating such release bilaterally with every service provider. |
| Table of Contents | ||
|---|---|---|
|
Background
A growing number of Service Providers (SPs) supporting collaborative research and scholarship activities are joining InCommon. As is the standard practice in the higher education and research world, collaboration on these sites involves knowing who the collaborators are: name, email, institutional affiliation. Unfortunately, the default Attribute Release Policies in place at most campus Identity Providers (IdPs) do not share any information with these sites without local review of the SP's purpose, governing policy, and operational practices. This approach is simply not scalable to the thousands of campus IdPs and thousands of SPs supporting research and scholarship that we anticipate in the future. It is already a serious problem for the big virtual organizations and research labs; the hoped-for explosion of smaller collaboration sites housed in academic departments will not succeed with federation without a scalable solution.
, a simple and scalable way for Identity Providers to release minimal amounts of required personal data to Service Providers serving the Research and Scholarship Community. Institutions that certify their IdP for R&S realize the following:
- Convenience for faculty and researchers: they instantly access participating services using campus credentials without administrator involvement
- Enable collaboration: When a research project adds a service to the category, collaboration across participating campuses is immediate
- Vetted services: InCommon reviews each service application for adherence to the category definition and requirements
- Save time and resources: once enabled, there is no additional involvement of IT staff to provision new R&S services
A list of all current R&S IdPs and SPs is available for your perusal.
How It Works
The Research & Scholarship (R&S) Category defines specific criteria for SPs All InCommon SPs are already bound by a set of practices governing how they manage and use personal attributes. InCommon's R&S Category defines additional set criteria that are designed to facilitate IdP policy decisions to release a controlled set of low-risk attributes to R&S SPs them without local review for each SP. InCommon also provides metadata and technology tools to further facilitate automatic, but controlled, release of attributes to the R&S SPs, as well as aiding user support.
IdPs can leverage this to simplify the management of their Attribute Release Policies by taking advantage of the R&S Category. With a one-time addition to their default release policies they can specify a set of attributes to release to all SPs that are in the R&S Category. This policy would apply addition then applies to SPs that are added to the category in the future, without the IDP administrator having to make any changes.
This Research and Scholarship Category Pilot will include a small number of SPs and IdPs to test this approach, recommending modifications to the specifications described here, as appropriate. The following are the participants in this pilot:
- Service Providers
- TBA
- Identity Providers
- TBA
Candidate Services
The three traditional dimensions of the academic endeavor are: research & scholarship, instruction, and service. Candidates for the R&S Category are those Service Providers that are specifically designed to support some aspect of research and scholarship; SPs aimed to enable instruction or service do not qualify for this category, even if they are intended for use by academics. Likewise, SPs that provide generalized services that have been or might be adopted for use in support of research and scholarship activities, but whose primary purpose is not research and scholarship, are not included in the R&S Category.
Whether an SP operator is commercial or non-commercial is not relevant to eligibility for the R&S Category, nor are any other aspects of how the service is implemented or operated, beyond the specific requirements noted below. It's all about purpose.
InCommon has chosen to introduce service categories in a conservative way, by focusing narrowly on services purposed for research and scholarship, in order to make implementation as straightforward as possible, and limit the range of concerns to be as specific as possible. Other service categories may be defined in the future for other purposes.
Requirements for the R&S Category
Service Providers are already bound by the requirements of the InCommon Federation: Participation Agreement. For the purposes of R&S, they should pay particular attention to Section 9:
| Info |
|---|
9. Respect for Privacy of Identity Information Participant agrees to respect the privacy of and any other constraints placed on identity information that it might receive from other InCommon Participants as agreed upon between Participant and the InCommon Participant(s). In particular, Participant understands that it may not permanently store nor share or disclose or use for any purpose other than its intended purpose any identity information that it receives from another InCommon Participant without express written permission of the other InCommon Participant. Participant understands that the storing and sharing of resources is between the Participant and the InCommon Participant(s) and is not the responsibility of InCommon. InCommon strongly recommends that Resource provider systems may cache temporarily identity attributes/credentials that are supplied by IdMs for operational efficiency or sequential, repeated authentication purposes within a given session or reasonable length episode. InCommon further recommends that any shared attributes/credentials should not be used for any purpose other than the original purpose or intent, and that such attributes/credentials should be destroyed at the end of the session or episode in which they are needed. This temporary storage of credentials shall not be deemed as permanent storage for the purposes of this Agreement. |
In addition, Service Providers must comply with the following requirements:
- The service enhances the research and scholarship activities of some subset of the InCommon community.
- The service requires a subset of R&S Category Attributes. (See below.)
- The service does not require out-of-band negotiation and/or contracts with IdPs.
- The service conforms to a specific subset of the Recommended Practices published by InCommon.
- The SP is a production SAML deployment.
- The SP supports SAML V2.0 Web Browser SSO.
- The SP refreshes and verifies metadata at least daily.
- The SP's metadata has been provided to InCommon so that it can be published in a human-readable format on the InCommon public web site.
- The SP provides appropriate contacts in the metadata.
- The SP provides its requested attributes in metadata. (Note that requests for attributes outside of the R&S set will likely require prior agreement with IdP Operators.)
- The SP intelligently handles errors involving the release of requested attributes.
R&S Service Providers must resolve issues of non-compliance within a reasonable period of time from when they become aware of the issue. Failure to do so can result in revocation of their membership in the R&S category.
R&S Category Attributes
InCommon IdPs are strongly encouraged to release the following attributes to R&S category SPs:
- name
(displayName,givenName,surName) - e-mail address (mail)
- user identifier (
eduPersonPrincipalName,eduPersonTargetedID) - user role (
eduPersonScopedAffiliation)
R&S category SPs may request other attributes, but IdP Operators will likely require a prior agreement before releasing those additional attributes. It is highly recommended that SPs use a minimalist approach to attribute requests. In the future, if InCommon interfederates with federations in other parts of the world, IdPs in other countries may be operating under laws and regulations which require a true minimalist approach.
Application for Inclusion in the R&S Category
To request membership in the R&S Category, a site administrator for the organization owning the SP completes a web form asserting compliance with the criteria. This initiates the following approval process:
- InCommon staff review the requests, interacting with the submitter and the InCommon Technical Advisory Council (TAC), as needed.
- Assuming a positive review, the staff provide a one-paragraph summary recommending approval of the request to the InCommon Steering Committee and the TAC, asking for comments within one week.
- Approval or rejection of the request is determined by consensus by the review participants.
When an SP is approved for the R&S category,
- An entity attribute is inserted into metadata.
- The new R&S SP is added to a web page listing members of the R&S category.
- An announcement is sent to the announce@incommon.org email list and/or the monthly newsletter.
Policy Considerations for Identity Providers
Identity Providers are responsible for protection of the privacy of their community members' identity attributes. As such, they must be cautious when releasing those attributes to Service Providers. As can be seen above, the R&S category has been restricted to the release of low-risk attributes to low-risk Service Providers with high value. Nevertheless, legislation such as FERPA, as well as local policy, may require further controls over attribute release by an IdP. For example, some students may have opted out of attribute release under FERPA.
It is expected that there will be little discussion or controversy over releasing these attributes to R&S SPs for faculty, researchers, and staff. These people already routinely share this information with their collaborators. Releasing attributes for students, however, is probably covered by the U.S. FERPA law, and possibly by state law. There is a considered opinion, though, that it is perfectly legal to release FERPA directory information using Shibboleth/SAML. If a campus includes the R&S attributes in its list of Directory Information, then there should be no issue about releasing these attributes for students who have not opted out under FERPA. In addition, some registrars have concluded that the definition of the R&S category allows their campus to release directory information for every student (including those who have opted out under FERPA).
Campuses are encouraged to implement a default policy that releases the R&S attributes to SPs in the R&S Category; implementing this is a one-time change to the IdP configuration. When this is not possible, mechanisms for implementing limiting controls are described below in "Technical Considerations." In the interest of facilitating collaboration and sharing of resources for as broad a community as possible, however, it is recommended that such controls be applied with as small a scope as possible.
Technical Considerations
The following documents describe the technical considerations for participation in the R&S Category:
...
...
- There are no technical requirements for SPs, other than those described above in "Requirements for the R&S Category."
IdPs also assert their support for R&S in federation metadata, allowing R&S-certified SPs to enhance the user experience of those IdPs' researchers.
R&S Application Process
Certifying your IdP or SP for R&S is easy, although SPs do require a review period to verify compliance with the requirements. See How to Apply for the Research and Scholarship (R&S) Entity Category for details. For more information specific to IdPs and SPs, see:
Historical Legacy: InCommon-Only R&S
When the R&S Category was first introduced for InCommon, it was available only to InCommon Participants. When REFEDS created the global Research and Scholarship Entity Category described in this document, therefore, InCommon-only R&S lost most of its relevance. All InCommon-only R&S SPs were converted to global R&S automatically, but due to changes to the requirements, that could not be done for IdPs. (See Migrating an IdP to Global Research and Scholarship for additional historical context.) InCommon-only R&S has been deprecated and is no longer issued to IdPs or SPs, but a number of IdPs still retain their InCommon-only status.
It is highly recommended that InCommon-only IdPs add support for R&S SPs internationally; see How to Apply for the Research and Scholarship (R&S) Entity Category for more information.
...