h2. Research & Scholarship Attribute Bundle {div:style=float:right;margin-left:1em;margin-bottom:1ex}{info}Configure your IdP to [release the R&S attribute bundle|Research and Scholarship Attribute Bundle Config] now!{info}{div} Identity providers are encouraged to release the _R&S attribute bundle_ to all R&S service providers: * _Identifiers_ ** {{eduPersonPrincipalName}} ** {{eduPersonTargetedID}} * _Mail attribute_ ** {{mail}} * _Person name attributes_ ** {{displayName}} ** {{givenName}} ** {{sn}} (surname) * _Authorization attribute_ ** {{eduPersonScopedAffiliation}} It is easy to configure a Shibboleth IdP to [release the R&S attribute bundle|Research and Scholarship Attribute Bundle Config] to all R&S SPs. If, however, you are using SAML software that does not support entity attributes, consider releasing the [Essential Attribute Bundle] to all SPs instead. {note:title=Supporting the Research & Scholarship Category} An identity provider (IdP) supports the [Research & Scholarship (R&S) Category|Research and Scholarship Category] if, for some subset of the IdP's user population, the IdP releases a minimal subset of the R&S attribute bundle to R&S service providers without administrative involvement, either automatically or subject to user consent. {note} {anchor:minimal-subset} h4. Minimal Subset of the R&S Attribute Bundle The following attributes constitute a _minimal subset of the R&S attribute bundle_: * {{eduPersonPrincipalName}} * {{mail}} * {{displayName}} OR ({{givenName}} AND {{sn}}) For the purposes of access control, a _non-reassigned persistent identifier_ is REQUIRED. If your deployment of {{eduPersonPrincipalName}} is non-reassigned, it will suffice. Otherwise you MUST release {{eduPersonTargetedID}} (which is non-reassigned by definition) in addition to {{eduPersonPrincipalName}}. In any case, release of both identifiers is RECOMMENDED. h5. An Optimization If a service provider lists *any* of the person name attributes in metadata, the identity provider MUST release some form of person name, either {{displayName}} or {{givenName}} + {{sn}}. Beyond that, an identity provider is NOT REQUIRED to release any attribute not listed in metadata. |