Versions Compared

Old Version 9

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 10

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Research & Scholarship Attribute Bundle

Wiki Markup
h2. Research & Scholarship Attribute Bundle

{div:style=float:right;margin-left:1em;margin-bottom:1ex}{info}Configure your IdP to [release the R&S attribute bundle|Research and Scholarship Attribute Bundle Config] now!{info}{div}

Identity

...

providers

...

are

...

encouraged

...

to

...

release

...

the

...

R&S

...

attribute

...

bundle

...

to

...

all

...

R&S

...

service

...

providers:

...

  • Identifiers
    • eduPersonPrincipalName
    • eduPersonTargetedID
  • Mail attribute
    • mail
  • Person name attributes
    • displayName
    • givenName
    • sn (surname)
  • Authorization attribute
    • eduPersonScopedAffiliation

It is easy to configure a Shibboleth IdP to release the R&S attribute bundle to all R&S SPs. If, however, you are using SAML software that does not support entity attributes, consider releasing the Essential Attribute Bundle to all SPs instead.

Note
titleSupporting the Research & Scholarship Category

An identity provider (IdP) supports the Research & Scholarship (R&S) Category if, for some subset of the IdP's user population, the IdP releases a minimal subset of the R&S attribute bundle to R&S service providers without administrative involvement, either automatically or subject to user consent.

Anchor
minimal-subset
minimal-subset

Minimal Subset of the R&S Attribute Bundle

The following attributes constitute a minimal subset of the R&S attribute bundle:

  • eduPersonPrincipalName
  • mail
  • displayName OR (givenName AND sn)

For the purposes of access control, a non-reassigned persistent identifier is REQUIRED. If your deployment of eduPersonPrincipalName is non-reassigned, it will suffice. Otherwise you MUST release eduPersonTargetedID (which is non-reassigned by definition) in addition to eduPersonPrincipalName. In any case, release of both identifiers is RECOMMENDED.

An Optimization

If a service provider lists any of the person name attributes in metadata, the identity provider MUST release some form of person name, either displayName or givenName + sn. Beyond that, an identity provider is NOT REQUIRED to release any attribute not listed in metadata.