Versions Compared

Old Version 9

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Research

...

&

...

Scholarship

...

Attribute

...

Bundle

{:=
Div
style
float:right;margin-left:1em;margin-bottom:1ex
}{
Info
}

Configure

your

IdP

to

[

release

the

R&S

attribute

bundle

|Research and Scholarship Attribute Bundle Config] now!{info}{div} Identity providers are encouraged to release the _R&S attribute bundle_ to all R&S service providers: * _Identifiers_ ** {{eduPersonPrincipalName}} ** {{eduPersonTargetedID}} * _Mail attribute_ ** {{mail}} * _Person name attributes_ ** {{displayName}} ** {{givenName}} ** {{sn}} (surname) * _Authorization attribute_ ** {{eduPersonScopedAffiliation}} It is easy to configure a Shibboleth IdP to [release the R&S attribute bundle|Research and Scholarship Attribute Bundle Config] to all R&S SPs. If, however, you are using SAML software that does not support entity attributes, consider releasing the [Essential Attribute Bundle] to all SPs instead. {note:title=Supporting the Research & Scholarship Category} An identity provider (IdP) supports the [Research & Scholarship (R&S) Category|Research and Scholarship Category] if, for some subset of the IdP's user population, the IdP releases a minimal subset of the R&S attribute bundle to R&S service providers without administrative involvement, either automatically or subject to user consent. {note} {anchor:minimal-subset} h4. Minimal Subset of the R&S Attribute Bundle The following attributes constitute a _minimal subset of the R&S attribute bundle_: * {{eduPersonPrincipalName}} * {{mail}} * {{displayName}} OR ({{givenName}} AND {{sn}}) For the purposes of access control, a _non-reassigned persistent identifier_ is REQUIRED. If your deployment of {{eduPersonPrincipalName}} is non-reassigned, it will suffice. Otherwise you MUST release {{eduPersonTargetedID}} (which is non-reassigned by definition) in addition to {{eduPersonPrincipalName}}. In any case, release of both identifiers is RECOMMENDED. h5. An Optimization If a service provider lists *any* of the person name attributes in metadata, the identity provider MUST release some form of person name, either {{displayName}} or {{givenName}} + {{sn}}. Beyond that, an identity provider is NOT REQUIRED to release any attribute not listed in metadata.

now!

Identity providers are encouraged to release the R&S attribute bundle to all R&S service providers:

  • Identifiers
    • eduPersonPrincipalName
    • eduPersonTargetedID
  • Mail attribute
    • mail
  • Person name attributes
    • displayName
    • givenName
    • sn (surname)
  • Authorization attribute
    • eduPersonScopedAffiliation

It is easy to configure a Shibboleth IdP to release the R&S attribute bundle to all R&S SPs. If, however, you are using SAML software that does not support entity attributes, consider releasing the Essential Attribute Bundle to all SPs instead.

Note
titleSupporting the Research & Scholarship Category

An identity provider (IdP) supports the Research & Scholarship (R&S) Category if, for some subset of the IdP's user population, the IdP releases a minimal subset of the R&S attribute bundle to R&S service providers without administrative involvement, either automatically or subject to user consent.

Anchor
minimal-subset
minimal-subset

Minimal Subset of the R&S Attribute Bundle

The following attributes constitute a minimal subset of the R&S attribute bundle:

  • eduPersonPrincipalName
  • mail
  • displayName OR (givenName AND sn)

For the purposes of access control, a non-reassigned persistent identifier is REQUIRED. If your deployment of eduPersonPrincipalName is non-reassigned, it will suffice. Otherwise you MUST release eduPersonTargetedID (which is non-reassigned by definition) in addition to eduPersonPrincipalName. In any case, release of both identifiers is RECOMMENDED.

An Optimization

A sufficiently capable IdP deployment can optimize attribute release based on the <md:RequestedAttribute> elements in SP metadata:

  • If a service provider lists the eduPersonPrincipalName attribute in metadata, and the IdP's deployment of eduPersonPrincipalName can be reassigned, then the IdP MUST release both eduPersonPrincipalName and eduPersonTargetedID to the SP regardless of whether eduPersonTargetedID is listed in metadata.
  • If a service provider lists any of the person name attributes in metadata, the identity provider MUST release some form of person name, either displayName or givenName + sn

Beyond the two special cases noted above, an identity provider is NOT REQUIRED to release any attribute not listed in metadata.