Migrating an IdP to the Global Research & Scholarship Category

This topic is for operators of existing Research & Scholarship (R&S) IdPs, that is, IdPs that have declared their support for the Research & Scholarship category.

IdP operators. All R&S SPs in the registered by InCommon Federation now meet the requirements of the international REFEDS Research & Scholarship Entity Category specification and therefore all R&S SPs in the InCommon Federation have a multivalued R&S entity attribute in metadata. More importantly, InCommon will soon begin importing imports the metadata of R&S SPs from other federations, so now is the time for . Consequently, R&S IdP operators to begin thinking about should plan their migration strategy to global R&S.

Basically, the operator of an existing R&S IdP operator has two options:

1. Release attributes to all R&S SPs, including R&S SPs in other federations
   • See below: Configuring an IdP to Release Attributes Globally
2. Release attributes to R&S SPs registered by InCommon only
   • See below: Configuring an IdP to Release Attributes Locally

These two mutually exclusive options are discussed in the sections belowfollowing sections.

Contents

...

The R&S

...

Migration Process

...

...

...

To support the R&S category, either globally or locally, the operator of an existing R&S IdP follows this simple 3-step process:

1. Review the authoritative REFEDS Research & Scholarship Entity Category specification
   
   1. The requirements for an R&S SP have changed slightly (a gap analysis has been prepared for your convenience)
   2. The requirements for an R&S IdP have not changed
      
2. Configure your IdP to release attributes to all Rto R&S SPs, either globally or locally (see next sectionsubsequent sections)
3. Declare your IdP's ability to support global R&S by submitting a short form
   

Once the R&S declaration form has been submitted, your metadata will be updated to reflect your IdP's attribute release policy.

...

Reconfiguring Your IdP

Use of the Legacy R&S Tag

If you support R&S today, and you have not already performed the migration steps documented on this wiki page, your IdP is probably likely configured with a policy rule that releases attributes to R&S SPs tagged with the legacy incommon.org R&S entity attribute valuetag, something like this:

<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
    attributeName="http://macedir.org/entity-category"
    attributeValue="http://id.incommon.org/category/research-and-scholarship"/>

Continued use of the incommon.org R&S tag in this manner is discouraged.

Although we have no immediate plans to remove that tag from SP metadata, we reserve the right to do so in the future. We will of course let you know in advance if and when this happens but in the meantime we ask that you remove the legacy incommon.org R&S tag from your IdP configuration. Doing so now prevents you from having to do so at a later time.

Configuring an IdP to Release Attributes Globally

This section is for existing R&S IdPs that want to support global Research & Scholarship by releasing attributes to all R&S SPs, including R&S SPs in other federations.

To support R&S globally, an R&S IdP should instead be configured with a policy rule that releases the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations. An instance of Shibboleth IdP V2 is may be configured as follows:

<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
    attributeName="http://macedir.org/entity-category"
    attributeValue="http://refeds.org/category/research-and-scholarship"/>

Configure an An instance of Shibboleth IdP V3 as followsis configured similarly:

<afp:PolicyRequirementRule xsi:type="saml:EntityAttributeExactMatch"
    attributeName="http://macedir.org/entity-category"
    attributeValue="http://refeds.org/category/research-and-scholarship"/>

Note that the above configurations recognize the refeds.org R&S entity attribute value. For more detailed information about configuring an IdP for R&S, consult the R&S Attribute Bundle IdP Config topic.

Important! For both SPs and IdPs, only the refeds.org R&S entity attribute value is exported to eduGAIN:

See the R&S Entity Metadata topic for details about entity attributes in metadata.

Configuring an IdP to Release Attributes Locally

...

This section is for existing R&S IdPs that want to continue to release attributes to R&S SPs registered by InCommon only.

Configuring an IdP to Release Attributes Locally

An IdP that supports R&S locally is configured If you support R&S today, your IdP is probably configured with a policy rule that releases attributes to the R&S SPs tagged with the legacy incommon.org R&S entity attribute value:

<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
    attributeName="http://macedir.org/entity-category"
    attributeValue="http://id.incommon.org/category/research-and-scholarship"/>

 To retain your current attribute release policy Attribute Bundle to R&S SPs registered by InCommon only. To do this without relying on the legacy incommon.org R&S entity attribute valuetag (a practice that is deprecated), an instance of Shibboleth IdP V2 leverages the Registered By InCommon Category as follows:

<afp:PolicyRequirementRule xsi:type="basic:AND">
  <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
  <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
</afp:PolicyRequirementRule>

An instance of Shibboleth IdP V3 leverages either the registered-by-incommon entity attribute (as above) or the <mdrpi:RegistrationInfo> element in metadata directly, as shown in the following example:

<afp:PolicyRequirementRule xsi:type="basic:AND">
  <basic:Rule xsi:type="saml:EntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
  <basic:Rule xsi:type="saml:RegistrationAuthority"
      registrars="https://incommon.org"/>
</afp:PolicyRequirementRule>

...

...

For more information about configuring an IdP for R&S, consult the R&S Attribute Bundle IdP Config topic in the wiki.

Frequently Asked Questions

What do you mean by “multivalued R&S entity attribute?”

Please visit the R&S Entity Metadata wiki page. There you will find an example of a multivalued R&S entity attribute for R&S SPs.

Why do all R&S SPs have a multivalued R&S entity attribute in metadata?

Every R&S SP has a multivalued R&S entity attribute in metadata so that R&S IdPs can migrate to global R&S at any time without loss of interoperability. Eventually the legacy incommon.org R&S tag in SP metadata will be removed.

Why is it necessary to remove the legacy incommon.org R&S tag from SP metadata?

The Research & Scholarship category is now an international standard. The legacy incommon.org R&S tag is only relevant inside the InCommon Federation. In order to interoperate with international partners, the legacy incommon.org R&S tag must be replaced with the new refeds.org R&S tag, which is the only R&S entity attribute value recognized by R&E federations worldwide.

When will the legacy incommon.org R&S tag be removed from SP metadata?

We have no definite plans to remove the legacy incommon.org R&S tag from SP metadata. We will monitor the progress of the Research & Scholarship category in the InCommon Federation and make a determination at a later time. In the meantime, it is RECOMMENDED that all IdPs remove all references to the legacy incommon.org R&S tag from their configurations.

When will the incommon.org R&S tag be removed from IdP metadata?

As long as there are IdPs that want to restrict attribute release to R&S SPs registered by InCommon, the legacy incommon.org R&S tag will remain in IdP metadata. Note well: From a global perspective, you do not support R&S unless you recognize the refeds.org R&S entity attribute value in SP metadata.

When should I migrate to global R&S, that is, when should I reconfigure my IdP to release attributes to all R&S SPs globally?

You can reconfigure your IdP whenever you’re ready. If you are certain you want to support global R&S, then by all means reconfigure your IdP now.

If I reconfigure my IdP to recognize the refeds.org R&S tag, will my IdP start releasing attributes to SPs outside InCommon?

If your IdP recognizes the refeds.org R&S tag in SP metadata, it will automatically release attributes to all R&S SPs, including R&S SPs from other federations. That’s precisely what it means to support global R&S.

I don’t want to release attributes to R&S SPs from other federations. How do I prevent that from happening?

If you don’t want to release attributes to R&S SPs from other federations, don’t change your attribute release policy to recognize the refeds.org R&S entity attribute value. Simply continue to recognize the legacy incommon.org R&S entity attribute value as you do now, or better yet, reconfigure your IdP to release attributes to R&S SPs registered by InCommon without relying on the legacy incommon.org R&S tag.

If I don’t release attributes to global R&S SPs, why do I have to touch my IdP config at all?

You are not required to touch your IdP config, at least not at this time. The suggested actions are NOT REQUIRED.

That said, we encourage you to reconfigure your IdP as documented. If you do, and we decide to remove the legacy incommon.org R&S tag from SP metadata at some later date, you’ll be all set. In any case, we won’t do anything without giving everyone ample lead time.