The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

This document contains DRAFT material intended for discussion and comment by the InCommon participant community.  Comments and questions should be sent to the InCommon participants mailing list.

Default Attribute Release Policy

By definition, a default attribute release policy specifies a set of attributes to be released to any SP. 

An interoperable IdP will be configured such that both of the following are true:

  1. the IdP consumes all SP metadata

  2. the IdP releases a default set of attributes to all SPs

In the very least, an IdP will return an empty SAML response (with no NameID or user attributes) to all SPs. An IdP that is unable (or unwilling) to do that is advised to self-assert membership in the Hide From Discovery Category.

At the end of the day, an IdP’s attribute release policy remains a strictly local decision, but the IdP’s ability to successfully interoperate with all SPs is a shared responsibility that leads to an overall positive user experience.

An IdP found not to interoperate with all SPs in the manner described above may be assigned the hide-from-discovery entity attribute at the discretion of InCommon Operations.

A deployer has a wide range of default attribute release policies from which to choose. For simplicity, consider the set of name identifiers separate from the other user attributes. To construct a default policy, simply choose one item from each list. Of course the lists below are not exhaustive; they are intended to be illustrative only.

Default name identifiers:

  1. SAML2 Transient NameID

  2. SAML2 Persistent NameID (which is equivalent to the eduPersonTargetedID attribute)

Default user attributes:

  1. eduPersonScopedAffiliation

  2. eduPersonPrincipalName + displayName

  3. the Essential Attribute Bundle

Recommended Default Attribute Release Policy

All IdPs in the InCommon Federation SHOULD release a persistent identifier (eduPersonPrincipalName and/or the SAML2 Persistent NameID) to all SPs. Releasing the Essential Attribute Bundle to all SPs provides the best federated user experience and is therefore a highly RECOMMENDED default attribute release policy.

Note that not all SPs need to receive the same default set of attributes. For example, InCommon SPs might receive one set of attributes while global SPs receive another. A single default attribute release policy avoids needless complication, however.

 

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels