This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the InCommon participants mailing list.
Default Attribute Release Policy
By definition, a default attribute release policy specifies a set of attributes to be released to any SP.
An interoperable IdP will be configured such that both of the following are true:
the IdP consumes and regularly refreshes the metadata all SPs
the IdP releases a subject name identifier by default to all SPs
An IdP that is unable (or unwilling) to do so is advised to self-assert membership in the Hide From Discovery Category.
An IdP’s attribute release policy is strictly a local decision but an IdP’s ability to successfully interoperate with all SPs is a shared responsibility that leads to an overall positive federated user experience. A default attribute release policy is the first step towards becoming a good federation participant.
hide-from-discovery
entity attribute at the discretion of InCommon Operations.Crafting a Default Policy
A deployer has a wide range of default policies from which to choose. For simplicity, consider the set of name identifiers separate from other user attributes. To construct a default policy, simply choose one item from each list. Note that the lists below are not exhaustive; they are intended to be illustrative only.
Default name identifiers:
SAML2 Transient NameID
SAML2 Persistent NameID (which is equivalent to the
eduPersonTargetedID
attribute)
Default user attributes:
eduPersonUniqueId
eduPersonPrincipalName
+displayName
Recommended Default Attribute Release Policy
All IdPs in the InCommon Federation SHOULD release a persistent, non-reassigned identifier to all SPs.
For example, the SAML2 Persistent NameID and the eduPersonUniqueId
attribute are non-reassigned by definition. The eduPersonPrincipalName
attribute is permitted to be reassigned but there is data to suggest that as many as 75% of InCommon IdPs assert an ePPN
that is not reassigned. Even if your deployment of ePPN
is reassigned, it is better to release it to all SPs instead of having no default attribute release policy at all.
Note that not all SPs need to receive the same default set of attributes. For example, SPs registered by InCommon might receive one set of attributes while other SPs might receive another. A single default attribute release policy avoids needless complication so consider that first.