...
Tip | ||
---|---|---|
| ||
Although R&S is specifically designed to facilitate attribute release, errors are expected and therefore service providers are strongly encouraged to support Federated Error Handling. A centralized Error Handling Service is provided for this purpose. |
Identity Providers
IdP Support for R&S
An IdP supports R&S if, for some subset of the IdP's user population, the IdP releases some a minimal subset of the R&S attribute bundle to R&S SPs without administrative involvement, either automatically or subject to user consent. A list of IdPs that are known believed to support R&S is maintained elsewhere in this wiki.
The following attributes constitute a minimal subset of the R&S attribute bundle:
eduPersonPrincipalName
OReduPersonTargetedID
mail
displayName
OR (givenName
ANDsn
)
To facilitate unambiguous access control, the persistent identifier (eduPersonPrincipalName
OR eduPersonTargetedID
) MUST be non-reassigned. Recall that eduPersonTargetedID
is non-reassigned by definition.
Deployment Options
To support R&S, an IdP has at least three options (in increasing order of deployment difficulty):
- Release a fixed subset of the R&S bundle (or the R&S bundle itself) for to all SPs
- Release a fixed subset of the R&S bundle (or the R&S bundle itself) for to all R&S SPs (leveraging an entity attribute in SP metadata)
- Release a precise varying subset of the R&S bundle for to each R&S SP (depending on an SP-by-SP basis requested attributes in SP metadata)
The Shibboleth IdP software supports either of the first two options out-of-the-box. The latter option requires a special plugin at the Shibboleth IdP. No other IdP software is known to support entity attributes at this time.
Tip | ||
---|---|---|
| ||
Sites are strongly encouraged to configure their IdPs to support R&S, either by releasing R&S attributes directly to R&S SPs or by releasing directory information to all SPs. |
...