The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

This document contains DRAFT material intended for discussion and comment by the InCommon participant community.  Comments and questions should be sent to the InCommon participants mailing list.

Default Attribute Release Policy

By definition, a default attribute release policy specifies a set of attributes to be released to any SP. 

A globally interoperable IdP will be configured such that both of the following are true:

  1. the IdP consumes and regularly refreshes the metadata all SPs

  2. the IdP releases a subject name identifier by default to all SPs

An IdP that is unable (or unwilling) to do so is advised to self-assert membership in the Hide From Discovery Category.

An IdP’s attribute release policy is strictly a local decision but an IdP’s ability to successfully interoperate with all SPs is a shared responsibility that leads to an overall positive federated user experience. A default attribute release policy is the first step towards becoming a good federation participant.

An IdP found not to interoperate with all SPs in the manner described above may be assigned the hide-from-discovery entity attribute at the discretion of InCommon Operations.

Crafting a Default Policy

A deployer has a wide range of default policies from which to choose. For simplicity, consider the set of name identifiers separate from other user attributes. To construct a default policy, simply choose one item from each list. Note that the lists below are not exhaustive; they are intended to be illustrative only.

Default name identifiers:

  1. SAML2 Transient NameID

  2. SAML2 Persistent NameID (which is equivalent to the eduPersonTargetedID attribute)

Default user attributes:

  1. eduPersonUniqueId

  2. eduPersonPrincipalName + displayName

  3. the Essential Attribute Bundle

Recommended Default Attribute Release Policy

All IdPs in the InCommon Federation SHOULD release a persistent, non-reassigned identifier to all SPs.

For example, the SAML2 Persistent NameID and the eduPersonUniqueId attribute are non-reassigned by definition. The eduPersonPrincipalName attribute is permitted to be reassigned but there is data to suggest that as many as 75% of InCommon IdPs assert an eduPersonPrincipalName that is not reassigned. Even if your deployment of eduPersonPrincipalName is reassigned, it is better to release it to all SPs than to have no default attribute release policy at all.

Regardless of whether your deployment of eduPersonPrincipalName is reassigned or not, it is strongly RECOMMENDED that IdPs support the eduPersonUniqueId attribute. It is believed that the use of eduPersonUniqueId will increase and eventually overtake eduPersonPrincipalName as the identifier of choice. Time will tell.

Repurposing Non-Reassigned ePPNs

If your deployment of eduPersonPrincipalName is non-reassigned, the values of eduPersonPrincipalName and eduPersonUniqueId asserted by your IdP MAY be the same.

Note that not all SPs need to receive the same default set of attributes. For example, SPs registered by InCommon might receive one set of attributes while other SPs might receive another. A single default attribute release policy avoids needless complication so consider that first.

 

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels