This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the InCommon participants mailing list.
Default Attribute Release Policy
By definition, a default attribute release policy specifies a set of attributes to be released to any SP.
An interoperable IdP will be configured such that both of the following are true:
the IdP consumes and regularly refreshes the metadata all SPs
the IdP releases a subject name identifier by default to all SPs
An IdP that is unable (or unwilling) to do so is advised to self-assert membership in the Hide From Discovery Category.
An IdP’s attribute release policy is strictly a local decision but an IdP’s ability to successfully interoperate with all SPs is a shared responsibility that leads to an overall positive federated user experience. A default attribute release policy is the first step towards becoming a good federation participant.
hide-from-discovery
entity attribute at the discretion of InCommon Operations.Crafting a Default Policy
A deployer has a wide range of default policies from which to choose. For simplicity, consider the set of name identifiers separate from other user attributes. To construct a default policy, simply choose one item from each list. Note that the lists below are not exhaustive; they are intended to be illustrative only.
Default name identifiers:
SAML2 Transient NameID
SAML2 Persistent NameID (which is equivalent to the
eduPersonTargetedID
attribute)
Default user attributes:
eduPersonUniqueId
eduPersonPrincipalName
+displayName
Recommended Default Attribute Release Policy
All IdPs in the InCommon Federation SHOULD release a persistent, non-reassigned identifier to all SPs.
For example, the SAML2 Persistent NameID and the eduPersonUniqueId
attribute are non-reassigned by definition. The eduPersonPrincipalName
attribute is permitted to be reassigned but there is data to suggest that as many as 75% of InCommon IdPs assert an eduPersonPrincipalName
that is not reassigned. Even if your deployment of eduPersonPrincipalName
is reassigned, it is better to release it to all SPs instead of having no default attribute release policy at all.
If your deployment of eduPersonPrincipalName
is reassigned (and even if it's not), it is strongly RECOMMENDED that IdPs support the eduPersonUniqueId
attribute. It is believed that the use of eduPersonUniqueId
will increase significantly and eventually overtake eduPersonPrincipalName
.
Note that not all SPs need to receive the same default set of attributes. For example, SPs registered by InCommon might receive one set of attributes while other SPs might receive another. A single default attribute release policy avoids needless complication so consider that first.