A growing number of Service Providers (SPs) supporting collaborative Research and Scholarship activities are joining InCommon. As is the standard practice in the Higher Education/Research world, collaboration on these sites involves knowing who the collaborators are: name, email, institutional affiliation. Unfortunately, the default Attribute Release Policies in place at most campus Identity Providers (IdPs) do not share any information with these sites without local review of the SP's purpose, governing policy, and operational practices.
This approach is simply not scalable to the thousands of campus IdPs and thousands of SPs supporting research and scholarship that we anticipate in the future. It is already a serious problem for the big Virtual Organizations and Research Labs; the hoped-for explosion of smaller collaboration sites housed in academic departments will not succeed with federation unless a scalable solution is developed.
InCommon is implementing a simplified and scalable approach to this problem through the specification of a "Research and Scholarship (R&S)" category for SPs. All InCommon SPs have already agreed to a set of practices governing how they manage and use personal attributes. To qualify for inclusion in the R&S category, SPs comply with an additional set of criteria that are designed to facilitate IdP policy decisions to release a controlled set of low-risk attributes to R&S SPs without local review. InCommon provides metadata and technology tools to further facilitate automatic, but controlled, release of attributes to the R&S SPs, as well as aiding user support.
This [Research and Scholarship Category Pilot] will include a small number of SPs and IdPs to test this approach, recommending modifications to the specifications described here, as appropriate. The following are the participants in this pilot:
- Service Providers
- Identity Providers
[Tom Barton's text...]
In addition to the requirements outlined in the InCommon Federation: Participation Agreement, Service Providers must comply with the following requirements:
- The service enhances the research and scholarship activities of some subset of the InCommon community.
- The service requires a subset of R&S Category Attributes. (See below.)
- The service does not require out-of-band negotiation and/or contracts with IdPs.
- The service conforms to a specific subset of the [Recommended Practices] published by InCommon.
- The SP is a production SAML deployment.
- The SP supports SAML V2.0 Web Browser SSO.
- The SP [refreshes and verifies metadata] at least daily.
- The SP's metadata has been provided to InCommon so that it can be published in a human-readable format on the InCommon public web site.
- The SP provides appropriate contacts in the metadata.
- The SP provides its [requested attributes] in metadata, chosen from the R&S subset.
- The SP intelligently handles errors involving the release of requested attributes.
InCommon IdPs are strongly encouraged to release the following attributes to R&S Category SPs:
- e-mail address (mail)
- user identifier (
- user role (
R&S Category SPs may request other attributes, but those requests are not likely to be honored by IdPs unless there has been prior agreement with the IdP Operator. It is highly recommended that SPs use a minimalist approach to attribute requests.
To request membership in the R&S category, a site administrator for the organization owning the SP completes a web form asserting compliance with the criteria. This initiates the following approval process:
- InCommon Staff review the requests, interacting with the submitter and the InCommon Technical Advisory Council (TAC), as needed.
- Assuming a positive review, the Staff provide a one-paragraph summary recommending approval of the request to the InCommon Steering Committee and the TAC, asking for comments within one week.
- Approval or rejection of the request is determined by consensus by the review participants.
When an SP is approved for the R&S category,
- An entity attribute is inserted into metadata.
- The new R&S SP is added to a web page listing members of the R&S category.
- An announcement is sent to the email@example.com email list and/or the monthly newsletter.
Identity Providers are responsible for protection of the privacy of their community members' identity attributes. As such, they must be cautious when releasing those attributes to Service Providers. As can be seen above, the R&S Category has been restricted to the release of low-risk attributes to low-risk Service Providers with high value. Nevertheless, legislation such as FERPA, as well as local policy, may require further controls over attribute release by an IdP. For example, some students may have opted out of attribute release under FERPA.
Mechanisms for implementing such controls are described below in "Technical Considerations." In the interest of facilitating collaboration and sharing of resources for as broad a community as possible, however, it is recommended that such controls be applied with as small a scope as possible.
The following documents describe the technical considerations for participation in the R&S Category:
- Federation Metadata
- [InCCollaborate:Metadata Support for the R&S Category]
- Service Providers
- There are no technical requirements for SPs, other than those described above in "Requirements for the R&S Category."
- Identity Providers
- DRAFT [InCCollaborate:Guidance for IdPs]