Versions Compared

Old Version 24

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 25

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Advanced Tables - Table Plus
columnAttributesstyle="vertical-align:middle;",style="width:60%;vertical-align:middle;",style="width:40%;vertical-align:middle;"

 

InCommon R&S Requirement

REFEDs R&S Requirement

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2828566b02496e92-894a2d32-4232489f-92db8498-4efab15f167b4272527bb17d"><ac:plain-text-body><![CDATA[

1

[[Participation Agreement

http://www.incommon.org/docs/policies/participationagreement.pdf], section 9] Participant agrees to respect the privacy of and any other constraints placed on identity information that it might receive from other InCommon Participants as agreed upon between Participant and the InCommon Participant(s). In particular, Participant understands that it may not permanently store nor share or disclose or use for any purpose other than its intended purpose any identity information that it receives from another InCommon Participant without express written permission of the other InCommon Participant. Participant understands that the storing and sharing of resources is between the Participant and the InCommon Participant(s) and is not the responsibility of InCommon.

A "Service Provider claims that it will not use attributes for purposes that fall outside of the service definition."

]]></ac:plain-text-body></ac:structured-macro>

2

"Whether an SP operator is commercial or non-commercial is not relevant to eligibility for the R&S Category, nor are any other aspects of how the service is implemented or operated, beyond the specific requirements noted below. It's all about purpose."

"This Entity Category should not be used for access to licensed content such as e-journals."

3

"...because of the risk involved, a Service Provider that engages subjects in experiments that require specific oversight is not eligible for the R&S Category."

NA

4

"The SP provides an mdui:DisplayName in metadata..."

"The Service Provider provides an mdui:DisplayName and mdui:InformationURL in metadata."

5

"The SP provides Technical and Administrative contacts in metadata."

"The Service Provider provides one or more technical contacts in metadata."

6

"R&S category SPs may request other attributes, but IdP operators will likely require a prior agreement before releasing additional attributes."

HTML
<hr>
"It is therefore highly recommended that SPs use a minimalist approach to attributes, only requesting those attributes that they absolutely need."

"Service Providers SHOULD request a subset of R&S Category Attributes that represent only those attributes that the Service Provider requires to operate its service."

...

For clarity, these two requirements are broken into three parts on the R&S application form:

  1. My service provides requested attributes in metadata.
  2. Are the requested attributes in metadata a subset of the R&S attribute bundle? (Note: This is highly RECOMMENDED otherwise a bilateral agreement with each IdP may be required.)
  3. My service requests only those attributes required to operate the service.

The second requirement listed above is framed as a yes/no question while the others are strict requirements for all InCommon R&S SPs.

...

The above interpretation of the requirements permit permits the following optimization:

If a service provider lists any of the person name attributes in metadata, the identity provider MUST release some form of person name, either displayName or givenName + sn. Beyond that, an identity provider is NOT REQUIRED to release any attribute not listed in metadata.

The attribute release policy below implements the requirements stated above if and only if 1) the deployment of eduPersonPrincipalName is non-reassigned, and 2) the deployment supports all three person name attributes (displayName, givenName, and surname):

Code Block
xml
xml

<AttributeFilterPolicy id="releaseDynamicSubsetToRandS">
 
  <PolicyRequirementRule
      xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://id.incommon.org/category/research-and-scholarship"/>
 
  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>

</AttributeFilterPolicy>

References