Entity Category attribute release in SWAMID

Entity categories are used for data release minimization and scalable attribute release from an Identity Provider within SWAMID to a Service Provider in SWAMID and/or eduGAIN.

If an owner of a Service and the Identity Provider Home Organisation has a bilateral agreement the attribute release can be extended with additional attributes based on the agreement.

Best Practice attribute release based on entity categories

x - Attribute is released if it's available in the Home Organisation Identity Provider.
o - Attribute is released only if requested and required in the metadata for the service and if it's available in the Home Organisation Identity Provider.

SAML2 Attribute IdentifierFriendly NameWithout enitity categoryREFEDS CoCo v2 and GÉANT CoCo v1REFEDS Personalized Access Entity CategoryREFEDS Pseudonymous Authorization Entity CategoryREFEDS Anonymous Authorization Entity CategoryREFEDS Research and Scholarship Entity Category (R&S)SWAMID R&E

SWAMID SFS-1993-1153




Restriction

Attribute released "only if requested and required" in metadata1.

Note that norEduPersonNIN and personalIdentityNumber has additional restrictions2.





Deprecated

No new EntityID will be permitted to use this category from 2020-09-01.

Deprecated

No new EntityID will be permitted to use this category from 2020-09-01.

urn:oasis:names:tc:SAML:attribute:pairwise-idpairwise-id


x



urn:oasis:names:tc:SAML:attribute:subject-idsubject-id

x




urn:oid:1.3.6.1.4.1.5923.1.1.1.10eduPersonTargetedID
o


x3

urn:oid:1.3.6.1.4.1.5923.1.1.1.6eduPersonPrincipalName
o


xx
urn:oid:1.3.6.1.4.1.5923.1.1.1.16eduPersonOrcid
o





urn:oid:1.3.6.1.4.1.2428.90.1.5norEduPersonNIN
o2




x
urn:oid:1.2.752.29.4.13personalIdentityNumber
o2





urn:oid:1.3.6.1.4.1.25178.1.2.3 schacDateOfBirth
o





urn:oid:0.9.2342.19200300.100.1.3mail
ox

xx
urn:oid:2.16.840.1.113730.3.1.241displayName
ox

xx
urn:oid:2.5.4.3cn (aka commonName)
o



x
urn:oid:2.5.4.42givenName
ox

xx
urn:oid:2.5.4.4sn (aka surname)
ox

xx
urn:oid:1.3.6.1.4.1.5923.1.1.1.11eduPersonAssurance
oxx
x4xx
urn:oid:1.3.6.1.4.1.5923.1.1.1.9eduPersonScopedAffiliation
oxxxxx
urn:oid:1.3.6.1.4.1.5923.1.1.1.1eduPersonAffiliation
o





urn:oid:2.5.4.10o (aka organizationName)
o



x
urn:oid:1.3.6.1.4.1.2428.90.1.6norEduOrgAcronym
o



x
urn:oid:2.5.4.6c (aka countryName)
o



x
urn:oid:0.9.2342.19200300.100.1.43co (aka friendlyCountryName)
o



x
urn:oid:1.3.6.1.4.1.25178.1.2.9schacHomeOrganization
oxxx
x
urn:oid:1.3.6.1.4.1.25178.1.2.10schacHomeOrganizationType
o






  1. The entity category the REFEDS and GÉANT Code of Conduct entity categories does not have a specific attribute bundle. Instead of an attribute bundle it uses attribute request in metadata for specific required attributes.
  2. norEduPersonNIN and personalIdentityNumber shall only be released when required by entities registered with in SWAMID (registrationAuthority="http://www.swamid.se/").
    • personalIdentityNumber must only contain Swedish Personal Numbers or Swedish Co-ordination Numbers.
    • norEduPersonNIN can besides  Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system.
  3. eduPersonTargetedID should only be released in with the entity category REFEDS Research & Scholarship if eduPersonPrincipalName is reassignable. All Identity Providers in SWAMID must by the SWAMID Assurance Profiles be longterm unique and therefore it should normally not be released.
  4. Within SWAMID the REFEDS Research and Scholarship Entity Category is extended to also include eduPersonAssurance.

URI for all entity categories used within SWAMID

Entity categoryUnique identifier
GÉANT Data Protection Code of Conduct Entity Categoryhttp://www.geant.net/uri/dataprotection-code-of-conduct/v1
REFEDS Data Protection Code of Conduct Entity Categoryhttps://refeds.org/category/code-of-conduct/v2
REFEDS Personalized Access Entity Categoryhttps://refeds.org/category/personalized
REFEDS Pseudonymous Authorization Entity Categoryhttps://refeds.org/category/pseudonymous
REFEDS Anonymous Authorization Entity Categoryhttps://refeds.org/category/anonymous
REFEDS Research and Scholarship Entity Category (R&S)http://refeds.org/category/research-and-scholarship
SWAMID R&Ehttp://www.swamid.se/category/research-and-educationDeprecated
SWAMID SFS-1993-1153http://www.swamid.se/category/sfs-1993-1153Deprecated
SWAMID EU-Adequate-Protectionhttp://www.swamid.se/category/eu-adequate-protectionDeprecated
SWAMID NREN-Servicehttp://www.swamid.se/category/nren-serviceDeprecated
SWAMID HEI-Servicehttp://www.swamid.se/category/hei-serviceDeprecated


URI for all assurance profiles used within SWAMID

EntitetskategoriUnik identifierare
SWAMID AL1http://www.swamid.se/policy/assurance/al1
SWAMID AL2http://www.swamid.se/policy/assurance/al2
SWAMID AL3http://www.swamid.se/policy/assurance/al3
SWAMID AL2-MFA-HIhttps://www.swamid.se/policy/authentication/swamid-al2-mfa-hiDeprecated
REFEDS Assurance Frameworkhttps://refeds.org/assurance/*
REFEDS Security Incident Response Trust Framework for Federated Identity (SIRTFI) version 1https://refeds.org/sirtfi
REFEDS Security Incident Response Trust Framework for Federated Identity (SIRTFI) version 2https://refeds.org/sirtfi2



  • No labels