View Source

h2. Research & Scholarship Attribute Bundle

{div:style=float:right;margin-left:1em;margin-bottom:1ex}{info}Configure your IdP to [release the R&S attribute bundle|Research and Scholarship Attribute Bundle Config] now!{info}{div}

Identity providers are encouraged to release the _R&S attribute bundle_ to all R&S service providers:

* _Identifiers_
** {{eduPersonPrincipalName}}
** {{eduPersonTargetedID}}
* _Mail attribute_
** {{mail}}
* _Person name attributes_
** {{displayName}}
** {{givenName}}
** {{sn}} (surname)
* _Authorization attribute_
** {{eduPersonScopedAffiliation}}

It is easy to configure a Shibboleth IdP to [release the R&S attribute bundle|Research and Scholarship Attribute Bundle Config] to all R&S SPs. If, however, you are using SAML software that does not support entity attributes, consider releasing the [Essential Attribute Bundle] to all SPs instead.

{note:title=Supporting the Research & Scholarship Category}
An identity provider (IdP) supports the [Research & Scholarship (R&S) Category|Research and Scholarship Category] if, for some subset of the IdP's user population, the IdP releases a minimal subset of the R&S attribute bundle to R&S service providers without administrative involvement, either automatically or subject to user consent.
{note}

{anchor:minimal-subset}
h4. Minimal Subset of the R&S Attribute Bundle

The following attributes constitute a _minimal subset of the R&S attribute bundle_:

* {{eduPersonPrincipalName}}
* {{mail}}
* {{displayName}} OR ({{givenName}} AND {{sn}})

For the purposes of access control, a _non-reassigned persistent identifier_ is REQUIRED. If your deployment of {{eduPersonPrincipalName}} is non-reassigned, it will suffice. Otherwise you MUST release {{eduPersonTargetedID}} (which is non-reassigned by definition) in addition to {{eduPersonPrincipalName}}. In any case, release of both identifiers is RECOMMENDED.

h5. An Optimization

If a service provider lists *any* of the person name attributes in metadata, the identity provider MUST release some form of person name, either {{displayName}} or {{givenName}} + {{sn}}. Beyond that, an identity provider is NOT REQUIRED to release any attribute not listed in metadata.