Versions Compared

Old Version 217

changes.mady.by.user Pål Axelsson

Saved on

compared with

New Version 218

changes.mady.by.user Pål Axelsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For an example on how to consume and process this information in an Identity Provider look at the page Example of a standard attribute filter for Shibboleth IdP v3.4.0 and above. ADFS Toolkit support the use of entity categories.

REFEDS Personalized Access Entity Category

entity-category URI

https://refeds.org/category/personalized

eduGAIN enabledYes


Info
titleDefinition

Candidates for the REFEDS Personalized Access Entity Category are Service Providers that have a proven need to receive a small set of personally identifiable information about their users in order to effectively provide their service to the user or to enable the user to signal their identity to other users within the service. The Service Provider must be able to effectively demonstrate this need to their registrar and demonstrate their compliance with regulatory requirements concerning personal data through a published Privacy Notice.

Please note that the REFEDS Personalized Access Entity Category was published at the end of 2021 and therefore not so many Identity Providers has support for it yet. SWAMID recommends that you complement the REFEDS Personalized Access Entity Category with the entity category GÉANT Dataprotection Code of Conduct until end of 2023 to get the expected attribute release.

The Personalized Access Entity Category is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around the world. The entity category makes it possible to automatically release a set of mostly harmless attributes to Service Providers registered in the academic federations.

The expected Identity Provider behaviour is to release to the Service Provider a set of attributes (subject-id, email, displayName, surname, given name, scoped affiliation identity assurance. Service Providers signals their use of Personalized Access Entity Category via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the Personalized Access Entity Category.

For REFEDS Personalized Access Entity Category there is a formal requirement that the service shall publish a public Privacy Policy. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for the last section.

Expected attribute release from an Identity Provider

Attribute(s)SAML2 Attribute IdentifierComment
subject-idurn:oasis:names:tc:SAML:attribute:subject-id
mailurn:oid:0.9.2342.19200300.100.1.3Can be more than one address released but Identity Providers are recommended to release only one.
displayName

urn:oid:2.16.840.1.113730.3.1.241


givenNameurn:oid:2.5.4.42
snurn:oid:2.5.4.4
eduPersonAssuranceurn:oid:1.3.6.1.4.1.5923.1.1.1.11
eduPersonScopedAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.9
schacHomeOrganizationurn:oid:1.3.6.1.4.1.25178.1.2.9

Process for applying for tagging a service with entity category REFEDS Personalized Access Entity Category

For a service to be tagged with REFEDS Personalized Access Entity Category it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator updates the service metadata in the SWAMID Metadata Tool.

The request must besides the metadata update contain the following administrative information:

  • Purpose and scope of the service.
  • Documentation which proves that the service has fulfilled all the requirements for REFEDS Personalized Access Entity Category if it isn't defined by purpose and scope of the service.
    • The service has a proven and documented need for the personally identifiable information that forms the attribute bundle for this entity category.
    • The Service Provider has committed to data minimisation and will not use the attributes for purposes other than as described in their application.

Unless the following is already published in current service metadata, the metadata update request must contain:

  • Well functional SAML2 metadata for the service with an entityid in URL-form.
  • Display name for the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
  • Short description of the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
  • Administrative and technical contact for the service and it's recommended that support and security contact is also given.
  • Formal organisation name of the organisation delivering the service.
  • URL to the organisation delivering the service.
  • URL to an informational web page that describes the service in English and preferable also in Swedish.
  • URL to a web page with the service privacy policy in English and preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. Please remove the section about GÉANT Dataprotection Code of Conduct if you use the Privacy Policy Tamplate.

The request is highly recommended to also have the following information for metadata publication:

  • URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.

Besides the formal requirements and recommendations of REFEDS R&S it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

REFEDS Research and Scholarship

...

For REFEDS Research and Scholarship there is no formal requirement that the service shall publish a public Privacy Policy. However all services that are registered in SWAMID must have a Privacy Policy to inform end users about how personal data are processed. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for the last section.

Expected attribute release from an Identity Provider

Attribute(s)SAML2 Attribute IdentifierComment
eduPersonTargetedIDurn:oid:1.3.6.1.4.1.5923.1.1.1.10

Should only be released by the Identity Provider if eduPersonPrincipalName is re-assignable to another user.

eduPersonPrincipalNameurn:oid:1.3.6.1.4.1.5923.1.1.1.6
mailurn:oid:0.9.2342.19200300.100.1.3Can be more than one address released but Identity Providers are recommended to release only one.
displayName and/or givenName and sn

urn:oid:2.16.840.1.113730.3.1.241
urn:oid:2.5.4.42
urn:oid:2.5.4.4

A user's name can be released in different ways and it's expected that the Service Provider can handle this.
eduPersonAssuranceurn:oid:1.3.6.1.4.1.5923.1.1.1.11Local addon within SWAMID. Services shall only expect this attribute to be available from Identity Providers within SWAMID.
eduPersonScopedAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.9

...

For a service to be tagged with REFEDS Research and Scholarship (R&S) it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeks.

The request must besides the metadata update contain the following administrative information:

...

Unless the following is already published in current service metadata, the metadata update request must contain:

  • Well functional SAML2 metadata for the service with an entityid in URL-form.
  • Display name for the Service in English and preferable also in Swedish and English for use in Identity Providers' login pages and Discovery Services.
  • Short description of the Service in Swedish and English English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
  • Mail address to the technical and/or support contact for the service.
  • Administrative and technical contact for the service and it's recommended that support and security contact is also given.
  • Formal organisation Organisation name of the organisation delivering the service.
  • URL to the organisation delivering the service.
  • URL to a an informational web page that describes the service in English and probably in Swedishpreferable also in Swedish.
  • URL to a web page with the service privacy policy in English and probably preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. Please remove the section about GÉANT Dataprotection Code of Conduct if you use the Privacy Policy Tamplate.

The request is highly recommended to also have the following information for metadata publication:

...

Besides the formal requirements and recommendations of REFEDS R&S it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

REFEDS/

...

GÉANT Dataprotection Code of Conduct

entity-category URI

https://refeds.org/category/code-of-conduct/v2 and
http://www.geant.net/uri/dataprotection-code-of-conduct/v1

eduGAIN enabledYes

...

For a service to be tagged with GÉANT Dataprotection Code of Conduct it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeks.

The request must besides the metadata update contain the following administrative information:

...

Unless the following is already published in current service metadata, the metadata update request must contain for inclusion in the service metadata:

  • Well functional SAML2 metadata for the service with an entityid in URL-form.
  • Display name for the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
  • Short description of the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
  • Required A list of required attributes of the Service.
  • Administrative and technical Mail address to the technical and/or support contact for the service and it's recommended that support and security contact is also given.
  • Organisation Formal organisation name of the organisation delivering the service.
  • URL to the organisation delivering the service.
  • URL to an informational web page that describes the service in English and preferable also in Swedish.
  • URL to a publicly accessible web page (not a pdf document) with the service privacy policy in English and preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. The privacy policy must at least contain:
    • the name, address and jurisdiction of the Service Provider;
    • the purpose or purposes of the processing of the Attributes;
    • a description of the Attributes being processed;
    • the third party recipients or categories of third party recipient to whom he Attributes might be disclosed, and proposed transfers of Attributes to countries outside of the European Economic Area;
    • the existence of the rights to access, rectify and delete the Attributes held about the End User;
    • the retention period of the Attributes; and
    • a reference to this Code of Conduct including the formal reference URL http://www.geant.net/uri/dataprotection-code-of-conduct/v1.

...