...
REFEDS (the Research and Education FEDerations group) is the standard organisation within the academic identity federation community. To enable, simplify and minimalize attribute release from Identity Providers to Service Providers SWAMID uses entity categories. A service should never ask for more attributes that they need for delivering the service to the end user. Based on this assumption REFEDS has created three new hierarchal entity categories where:
- Anonymous Access is for services that don't need any personalized information,
- Pseudonymous Access is for services that support personalization between
...
- sessions but don't have any need of personal identifiable information, and
- Personalized Access is for services that need personal identifiable information.
You should never use more than one of these entity categories for the same service due to undefined behaviour. SWAMID recommends all Identity Providers to only release attribute for the most data minimalistic entity category, i.e. if a Service Provider asks for Pseudonymous Access and Personalized Access the service will get the attribute for Pseudonymous Access.
The entity category Research and Scholarship (R&S) is more or less the same as Personalized Access but have more restricted use cases and another set of identifiers. For services that needs other attributes than
The entity category European Student Identifier is a category to primary support student exchange programs like Erasmus+. This entity category only supports one value in on specific attribute and expected to be used together with other entity categories, for example Personalized Access.
For services that needs other attributes than supported by the fixed attribute bundles the entity categories REFEDS/category REFEDS Data Protection Code of Conduct, and the older GÉANT Data Protection Code of Conduct, is usedrecommended.
| Anonymous Access | Pseudonymous Access | Personalized Access | Research and Scholarship (R&S) | |
|---|---|---|---|---|
| Organisation | eduPersonScopedAffiliation schacHomeOrganization | eduPersonScopedAffiliation schacHomeOrganization | eduPersonScopedAffiliation schacHomeOrganization | eduPersonScopedAffiliation (optional) |
| User identifier | samlPairwiseID | samlSubjectID | eduPersonPrincipalName (if non-reassigned) eduPersonPrincipalName + eduPersonTargetedID (not used within SWAMID) | |
| Assurance | eduPersonAssurance | eduPersonAssurance | eduPersonAssurance (only within SWAMID) | |
| Person name | displayName givenName sn | displayName or givenName + sn | ||
| MailEmail address |
REFEDS Anonymous Access Entity Category
entity-category URI | |
|---|---|
| eduGAIN enabled | Yes |
| Info | ||
|---|---|---|
| ||
Candidates for the Anonymous Access Entity Category are Service Providers that offer a level of service based on proof of successful authentication. None of the attributes in this entity category are specifically intended to provide authorization information. By asserting this entity category, Service Providers are signaling that they do not wish to receive personalized data. Please note that the first of the REFEDS Anonymous Access Entity Category, then called REFEDS Anonymous Authorization Entity Category, was published early 2021 and therefore not so many Identity Providers has support for it yet. SWAMID recommends that you complement the REFEDS Anonymous Access Entity Category with the entity category GÉANT Data Protection Code of Conduct until end of 2024 to get the expected attribute release. |
...
entity-category URI | |
|---|---|
| eduGAIN enabled | Yes |
| Info | ||
|---|---|---|
| ||
Candidates for the Pseudonymous Access Entity Category are Service Providers that offer a level of service based on proof of successful authentication and offer personalization based on a pseudonymous user identifier. The Service Provider must be able to effectively demonstrate this need to their federation registrar (normally the Service Provider’s home federation) and demonstrate their compliance with regulatory requirements concerning personal data through a published Privacy Notice. None of the attributes in this entity category are specifically intended to provide authorization information. |
...
entity-category URI | |
|---|---|
| eduGAIN enabled | Yes |
| Info | ||
|---|---|---|
| Info | ||
| ||
Candidates for the Personalized Entity Category are Service Providers that have a proven need to receive a small set of personally identifiable information about their users in order to effectively provide their service to the user or to enable the user to signal their identity to other users within the service. The Service Provider must be able to effectively demonstrate this need to their federation registrar (normally the Service Provider’s home federation) and demonstrate their compliance with regulatory requirements concerning personal data through a published Privacy Notice. None of the attributes in this entity category are specifically intended to provide authorization information. |
...
entity-category URI | eduGAIN enabled | Yes |
|---|
| Info | ||
|---|---|---|
| ||
Candidates for the Research and Scholarship (R&S) Category are Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part. For more information please see REFEDS Entity Category Research and Scholarship. |
...
entity-category URI | https://refeds.org/category/code-of-conduct/v2 and | eduGAIN enabledYes |
|---|
| Info | ||
|---|---|---|
| ||
The REFEDS Data protection Code of Conduct (CoCo v2) defines an approach at a European level to meet the requirements of the European General Data Protection Regulation (GDPR) for releasing mostly harmless personal attributes to a Service Provider (SP) from an Identity Provider (IdP). For more information please see REFEDS Data Protection Code of Conduct. The earlier GÉANT Data protection Code of Conduct (CoCo v1) defines an approach at a European level to meet the requirements of the European Union Data Protection Directive. The Data Protection Directive has been superseded by GDPR and therefore GDPR must be taken into account for CoCo v1. CoCo v1 is in the same spirit as GDPR, i.e. the Charter of Fundamental Rights of the European Union. For more information please see GEANT Data Protection Code of Conduct. CoCo v1 will exist in parallell with CoCo v2 for an extended time and therefore we recommend all services that uses CoCo v2 to also declare CoCo v1 and the other way around. |
...
It's also a highly recommended that the service adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).
European Student Identifier Entity Category
entity-category URI |
|---|
| Info | ||
|---|---|---|
| ||
The purpose of the European Student Identifier entity category is to support Higher Education Institutions (HEI) in identifying students as part of formal learning and teaching activities and/or the administrative activities related to those. These activities require data exchanges to take place, primarily, within or between institutions. The European Student Identifier (ESI) plays a significant role in reliably identifying the students throughout these data exchanges. This entity category may be used together with other entity categories to transfer additional attributes. |
The European Student Identifier Entity Category is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around Europe. The entity category makes it possible to automatically release the European Student Identifier as defined at https://wiki.geant.org/display/SM/European+Student+Identifier.
The expected Identity Provider behaviour for universites and university colleges is to release to the Service Provider the European Student Identifier. Service Providers signals their need of European Student Identifier via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the European Student Identifier Entity Category.
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| schacPersonalUniqueCode | urn:oid:1.3.6.1.4.1.25178.1.2.14 | This attribute is a multi-valued attribute but the expected behaviour is that the Identity Provider only releases the ESI value t the service if no other values are released by bilateral agreement. |
Process for applying for tagging a service with entity category European Student Identifier Entity Category
For a service to be tagged with European Student Identifier Entity Category it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator updates the service metadata in the SWAMID Metadata Tool.
The request must besides the metadata update contain the following administrative information:
- Purpose and scope of the service.
- Description on fulfillment of the eligible criteria for the ESI Entity Category:
- Student Mobility Services directly enabling mobility, for example, the Erasmus+ programme.
- Services that transfer student records or transcripts of records between educational institutions and which need to identify the students to which the records belong to.
University Alliances scenarios where students’ records are shared across (some of) the universities of the Alliance.
Formal learning and teaching activities and/or the administrative activities related to those within an institution, for example, Learning Management Systems and remote e-assessment tools.
The entity category has the following metadata requirements:
- Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.
The request is highly recommended to also have the following information for metadata publication:
- URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.
Besides the formal requirements and recommendations of European Student Identifier Entity Category are Service Providers it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).
...