Default Attribute Release
Assuming an IdP is configured to respond to a SAML AuthnRequest
from any SP, and assuming the AuthnRequest
is well formed, an appropriate SAML response can take on many forms:
- Return an empty SAML response (with no
NameID
or user attributes) to all SPs - Release a SAML Transient
NameID
(but no user attributes) to all SPs - Release
eduPersonTargetedID
to all SPs - Release
eduPersonPrincipalName
to all SPs - Release the Essential Attribute Bundle to all SPs
The above attribute release policies are listed in order of increasing interoperability. Start by considering the latter and work your way backwards to determine the default policy that is best for you and your users.
Recommended Default Attribute Release Policy
All IdPs in the InCommon Federation SHOULD release a persistent identifier (eduPersonPrincipalName
or eduPersonTargetedID
) to all SPs. Releasing the Essential Attribute Bundle to all SPs provides the best federated user experience and is therefore a highly RECOMMENDED default attribute release policy.