h2. Research & Scholarship for Identity Providers

{div:style=float:right;margin-left:1em;margin-bottom:1ex}{note}Browse a list of [all current R&S SPs and IdPs|https://incommon.org/federation/info/all-sp-categories.html]{note}{div}

To have your IdP added to the [list of IdPs that support R&S|https://incommon.org/federation/info/all-sp-categories.html]:

# read this wiki page completely
# configure your IdP for R&S (see below for [IdP deployment options|#deploy-options])
# [declare your willingness and ability to support R&S|https://docs.google.com/a/internet2.edu/spreadsheet/viewform?formkey=dDBabVBYNXo5a0tHRTRHOFJJMUQ0dGc6MQ#gid=0] by filling out a short form

Once this is done, your IdP will be added to the list, normally within one business day.

{tip:title=For R&S SP Operators}
To have an IdP added to the [list of IdPs that support R&S|https://incommon.org/federation/info/all-sp-categories.html], contact us at admin@incommon.org. We will reach out to the site admins for that IdP on your behalf.


h2. IdP Deployment Requirements

An identity provider (IdP) supports the [Research & Scholarship (R&S) Category|Research and Scholarship Category] if, for some subset of the IdP's user population, the IdP _releases a minimal subset of the R&S attribute bundle to R&S SPs without administrative involvement_, either automatically or subject to user consent. The following attributes constitute a minimal subset of the R&S attribute bundle:

- {{eduPersonPrincipalName}}
- {{mail}}
- {{displayName}} OR ({{givenName}} AND {{sn}})

For the purposes of access control, a non-reassigned persistent identifier is required. If your deployment of {{eduPersonPrincipalName}} is non-reassigned, it will suffice. Otherwise you MUST release {{eduPersonTargetedID}} (which is non-reassigned by definition) in addition to {{eduPersonPrincipalName}}. In any case, release of both identifiers is RECOMMENDED.

{tip:title=Testing IdP Support for R&S}
Once you've configured your IdP (as discussed in the next section), you can test your configuration using this [test page|https://portal.geni.net/secure/env.php], a service provided by the [GENI Experimenter Portal|https://incommon.org/federation/info/entity.html?entityID=https%3A%2F%2Fpanther.gpolab.bbn.com%2Fshibboleth], an official R&S SP.


h2. IdP Deployment Options

To support R&S, an IdP has at least three options (in increasing order of deployment difficulty):

# Release a fixed subset of the R&S bundle (or the R&S bundle itself) to *all SPs*
# Release a fixed subset of the R&S bundle (or the R&S bundle itself) to *all R&S SPs* (leveraging an [entity attribute|Entity Attributes] in SP metadata)
# Release a varying subset of the R&S bundle to each R&S SP (depending on [requested attributes|Requested Attributes] in SP metadata)

The latest version of the Shibboleth IdP software supports all of these options out-of-the-box. (There are documented workarounds for earlier versions of the Shibboleth IdP.) No other IdP software is known to support entity attributes at this time.

{tip:title=Supporting R&S}
Sites are strongly encouraged to configure their IdPs to support R&S, either by releasing the [Research and Scholarship Attribute Bundle] directly to R&S SPs or by releasing the [Essential Attribute Bundle] to all SPs.

The R&S category is the first of many such categories. Soon there will be multiple categories, for both SPs and IdPs, such that each category has its own entity attribute value. To support a given category, an additional software configuration similar to the [R&S IdP configuration|Research and Scholarship Attribute Bundle Config] is required.

The use of [entity attributes|Entity Attributes] (as opposed to [entity IDs|Entity IDs]) has a significantly reduced administrative burden at the IdP. As the number of categories increases, however, the number of configurations increases as well. It is natural to ask if there is an even higher level of abstraction that further simplifies the administration of attributes? The answer is yes, an IdP can release the [Essential Attribute Bundle] to *all SPs*, not just R&S SPs. Such a configuration can simultaneously satisfy the attribute requirements of multiple categories.

If you have further questions, please consult the [Research and Scholarship FAQ].