The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 64 Next »

Migrating to the Global Research & Scholarship Category

This topic is for operators of existing Research & Scholarship (R&S) IdPs. All R&S SPs in the InCommon Federation now meet the requirements of the international REFEDS Research & Scholarship Entity Category specification and therefore all R&S SPs have a multivalued R&S entity attribute in InCommon metadata. More importantly, InCommon will begin importing the metadata of R&S SPs from other federations as soon as possible, so now is the time for R&S IdP operators to begin thinking about their migration strategy to global R&S.

Basically, the operator of an existing R&S IdP has two options:

  1. Release attributes to all R&S SPs, including R&S SPs in other federations
  2. Release attributes to R&S SPs registered by InCommon only

These two options are discussed in the sections below.

Your action is RECOMMENDED but NOT REQUIRED

Neither of the actions documented here are required actions. If you choose to take no action, nothing will break. We do, however, strongly encourage you to perform exactly one of the actions documented on this page.

Contents

Use of the Legacy R&S Tag

If you support R&S today, your IdP is probably configured with a policy rule that releases attributes to R&S SPs tagged with the legacy incommon.org R&S entity attribute value, something like this:

A Shib IdP V2 rule that uses the legacy incommon.org R&S tag
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
    attributeName="http://macedir.org/entity-category"
    attributeValue="http://id.incommon.org/category/research-and-scholarship"/>

Use of the incommon.org R&S tag in this manner is discouraged.

Use of the incommon.org R&S tag at the IdP is deprecated

Use of the legacy incommon.org R&S tag to configure attribute release policy at the IdP is deprecated. Eventually this tag will be removed from SP metadata but a timeline for doing so has not been determined.

Thus all R&S IdPs should be reconfigured to not rely on the legacy incommon.org R&S tag. Although we have no immediate plans to remove that tag from SP metadata, we reserve the right to do so in the future. We will of course let you know in advance if and when this happens but in the meantime we ask that you remove the legacy incommon.org R&S tag from your IdP configuration. Doing so now prevents you from having to do so later on.

Releasing Attributes to All R&S SPs

This section is for existing R&S IdPs that want to support global Research & Scholarship by releasing attributes to all R&S SPs, including R&S SPs in other federations.

Supporting the REFEDS R&S Entity Category

R&S IdPs that support global R&S are shown in green on the Entity Categories info page.

To support R&S globally, the operator of an existing R&S IdP follows this simple 3-step process:

  1. Review the authoritative REFEDS Research & Scholarship Entity Category specification
    1. The requirements for an R&S SP have changed slightly (a gap analysis has been prepared for your convenience)
    2. The requirements for an R&S IdP have not changed
  2. Configure your IdP to release attributes to all R&S SPs globally (see next section)
  3. Declare your IdP's ability to support global R&S by submitting a short form
An IdP that releases attributes to all R&S SPs will be among the first group of InCommon IdPs whose metadata is exported to eduGAIN.

Configuring an IdP to Release Attributes Globally

To support R&S globally, an R&S IdP should be configured with a policy rule that releases the R&S Attribute Bundle to all R&S SPs, including R&S SPs in other federations. An instance of Shibboleth IdP V2 may be configured as follows:

A Shib IdP V2 rule that releases attributes to ALL R&S SPs
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
    attributeName="http://macedir.org/entity-category"
    attributeValue="http://refeds.org/category/research-and-scholarship"/>

Similarly, an instance Shibboleth IdP V3 may be configured as follows:

A Shib IdP V3 rule that releases attributes to ALL R&S SPs
<afp:PolicyRequirementRule xsi:type="saml:EntityAttributeExactMatch"
    attributeName="http://macedir.org/entity-category"
    attributeValue="http://refeds.org/category/research-and-scholarship"/>

Note that the above configurations recognize the refeds.org R&S entity attribute value. For more detailed information about configuring an IdP for R&S, consult the R&S Attribute Bundle Config topic.

Important! For both SPs and IdPs, only the refeds.org R&S entity attribute value is exported to eduGAIN:

Exporting the R&S entity attribute

The legacy incommon.org R&S entity attribute value

http://id.incommon.org/category/research-and-scholarship

is not exported to eduGAIN. Only the refeds.org R&S entity attribute value

http://refeds.org/category/research-and-scholarship

is exported to eduGAIN!

See the R&S Entity Metadata topic for details about entity attributes in metadata.

Releasing Attributes to R&S SPs Registered By InCommon

This section is for existing R&S IdPs that want to continue to release attributes to R&S SPs registered by InCommon.

Configuring an IdP to Release Attributes Locally

To support R&S locally, an R&S IdP should be configured with a policy rule that releases the R&S Attribute Bundle to R&S SPs registered by InCommon. To do this without relying on the legacy incommon.org R&S tag, an instance of Shibboleth IdP V2 leverages the Registered By InCommon Category as follows:

A Shib IdP V2 rule that releases attributes to R&S SPs registered by InCommon
<afp:PolicyRequirementRule xsi:type="basic:AND">
  <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
  <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
</afp:PolicyRequirementRule>

An instance of Shibboleth IdP V3 leverages either the registered-by-incommon entity attribute (as above) or the <mdrpi:RegistrationInfo> element in metadata directly, as shown in the following example:

A Shib IdP V3 rule that releases attributes to R&S SPs registered by InCommon
<afp:PolicyRequirementRule xsi:type="basic:AND">
  <basic:Rule xsi:type="saml:EntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
  <basic:Rule xsi:type="saml:RegistrationAuthority"
      registrars="https://incommon.org"/>
</afp:PolicyRequirementRule>

The registrars XML attribute takes a space-separated list of registrar IDs and therefore the previous configuration is most flexible.

For more information about configuring an IdP for R&S, consult the R&S Attribute Bundle Config topic in the wiki.

Frequently Asked Questions

What do you mean by “multivalued R&S entity attribute?”

Please visit the R&S Entity Metadata wiki page. There you will find an example of a multivalued R&S entity attribute for R&S SPs.

Why do all R&S SPs have a multivalued R&S entity attribute in metadata?

Every R&S SP has a multivalued R&S entity attribute in metadata so that R&S IdPs can migrate to global R&S at any time without loss of interoperability.

Under what conditions will an IdP receive a multivalued R&S entity attribute in metadata?

Under no circumstances will an IdP receive a multivalued R&S entity attribute. An IdP receives the refeds.org R&S tag if and only if it releases attributes to all R&S SPs globally. If, OTOH, an IdP releases attributes to R&S SPs registered by InCommon only, it will receive the incommon.org R&S tag.

Be aware, however, that the incommon.org R&S tag will not be exported outside the InCommon Federation. If and when your IdP metadata is exported to eduGAIN, it will not contain an R&S entity attribute at all. From a global perspective, you do not support R&S unless you recognize the refeds.org R&S entity attribute value.

When should I migrate to global R&S, that is, when should I configure my IdP to release attributes to all R&S SPs globally?

You can reconfigure your IdP whenever you’re ready. Today there are no global R&S SPs in InCommon metadata but soon there will be. If you are certain you want to support global R&S, then by all means reconfigure your IdP now.

If I reconfigure my IdP to recognize the refeds.org R&S tag, will my IdP start releasing attributes to SPs outside InCommon?

At this moment, all the entities in the InCommon metadata aggregate are registered by InCommon, so the only R&S SPs in the aggregate are InCommon R&S SPs. Within the next few months, however, InCommon will begin importing R&S SPs from other federations via eduGAIN. When that happens, if your IdP recognizes the refeds.org R&S entity attribute value, it will automatically release attributes to all R&S SPs, including R&S SPs from other federations. That’s precisely what it means to support global R&S.

I don’t want to release attributes to R&S SPs from other federations. How do I prevent that from happening?

If you don’t want to release attributes to R&S SPs from other federations, don’t change your attribute release policy to recognize the refeds.org R&S entity attribute value. Simply continue to recognize the legacy incommon.org R&S entity attribute value as you do now, or better yet, reconfigure your IdP to release attributes to R&S SPs registered by InCommon without relying on the legacy incommon.org R&S tag.

I don’t want to release attributes to global R&S SPs, so why do I have to touch my IdP config at all?

You are not required to touch your IdP config, at least not at this time. The actions documented here are RECOMMENDED but NOT REQUIRED.

That said, we encourage you to reconfigure your IdP as documented. If you do, and we decide to remove the legacy incommon.org R&S tag from SP metadata at some later time, you’ll be all set. In any case, we won’t do anything without giving everyone ample lead time.

Why is it necessary to remove the legacy incommon.org R&S tag from SP metadata?

The Research & Scholarship category is now an international standard. The legacy incommon.org R&S entity attribute value is only relevant inside the InCommon Federation. In order to interoperate with international partners, the legacy incommon.org R&S tag must be replaced with the new refeds.org R&S entity attribute value, which is the only R&S entity attribute value recognized by R&E federations worldwide.

When will the legacy incommon.org R&S tag be removed from SP metadata?

We have no definite plans to remove the legacy incommon.org R&S tag from SP metadata. We will monitor the progress of the Research & Scholarship category in the InCommon Federation and make a determination at a later time. In the meantime, it is RECOMMENDED that all IdPs remove all references to the legacy incommon.org R&S tag from their configurations.

When will the incommon.org R&S tag be removed from IdP metadata?

As long as there are IdPs that want to restrict attribute release to R&S SPs registered by InCommon, the legacy incommon.org R&S tag will remain in IdP metadata.

 

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels