...
R&S Category SPs may request other attributes, but those requests are not likely to be honored by IdPs unless there has been prior agreement with the IdP Operator. It is highly recommended that SPs use a minimalist approach to attribute requests. In the future, if InComon interfederates with Federations in other parts of the world, IDPs in other countries may be operating under laws and regulations which require a true minimalist approach.
Application for Inclusion in the R&S Category
...
Identity Providers are responsible for protection of the privacy of their community members' identity attributes. As such, they must be cautious when releasing those attributes to Service Providers. As can be seen above, the R&S Category has been restricted to the release of low-risk attributes to low-risk Service Providers with high value. Nevertheless, legislation such as FERPA, as well as local policy, may require further controls over attribute release by an IdP. For example, some students may have opted out of attribute release under FERPA.
It is expected that there will be little discussion or controversy over releasing these attributes to R&S SPs for faculty, researchers, and staff. These people already routinely share this information with their collaborators. Releasing attributes for students, however, is probably covered by the US FERPA law, and possibly by state law. There is a considered opinion, though, that it is perfectly legal to release FERPA Directory Information using Shibboleth/SAML. If a campus includes the R&S attributes in its list of Directory Information, then there should be no issue about releasing these attributes for students who have not opt'ed out under FERPA. In addition, some Registrars have concluded that the definition of the R&S category allows their campus to release Directory Information for every student (including those who have opt'ed out under FERPA).
Mechanisms for implementing such controls are described below in "Technical Considerations." In the interest of facilitating collaboration and sharing of resources for as broad a community as possible, however, it is recommended that such controls be applied with as small a scope as possible.
...