This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the InCommon participants mailing list.
Default Attribute Release
Assuming an IdP is configured to respond to a SAML AuthnRequest
from any SP, and assuming the AuthnRequest
is well formed to begin with, an appropriate SAML response can take on many forms:
- Return an empty SAML response (with no
NameID
or user attributes) to all SPs - Release a SAML Transient
NameID
(but no user attributes) to all SPs - Release
eduPersonTargetedID
to all SPs - Release
eduPersonPrincipalName
to all SPs - Release the Essential Attribute Bundle to all SPs
The above attribute release policies are listed in order of increasing interoperability. Start by considering the latter and work your way backwards to determine the default policy that is best for you and your users.
Recommended Default Attribute Release Policy
All IdPs in the InCommon Federation SHOULD release a persistent identifier (eduPersonPrincipalName
or eduPersonTargetedID
) to all SPs. Releasing the Essential Attribute Bundle to all SPs provides the best federated user experience and is therefore a highly RECOMMENDED default attribute release policy.
At the end of the day, an IdP’s attribute release policy is a local decision, but the IdP’s ability to successfully interoperate with all SPs is a shared responsibility that leads to an overall positive user experience.