...
The expected IdP behaviour is to release to the Service Provider a set of R&S Category Attributes (eptid, eppn, email, displayName, surname, given name and scoped affiliation plus the SWAMID addons eduPersonUniqueID and eduPersonAssurance). Service Providers signals their use of R&S via an entity category tag in metadata. . There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the R&S Category entity category and thit this can be used for filter purpose in a discovery service.
...
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | Only released Should only be release by the Identity Provider if eduPersonPrincipalName is reassignable short or long term re-assignable to another user in the Identity Provider. |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
| eduPersonUniqueID | urn:oid:1.3.6.1.4.1.5923.1.1.1.13 | eduPersonUniqueID is a long term unique identifier that will not be reused by the Identity Provider. It may be the same value as eduPersonPrincipalName if that attriubte attribute is non-reassignablere-assignable. Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| displayName and/or givenName and sn | urn:oid:2.16.840.1.113730.3.1.241 | A user's name can be released in different ways and it's expected that the Service Provider can handle this. |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
...
| Info | ||
|---|---|---|
| ||
The GÉANT Data protection Code of Conduct (CoCo) defines an approach at a European level to meet the requirements of the European Union Data Protection Directive for releasing mostly harmless personal attributes to a Service Provider (SP) from an Identity Provider (IdP). For more information please see GEANT Data Protection Code of Conduct. |
| Info | ||
|---|---|---|
| ||
An updated version of the GÉANT Data protection Code of Conduct (CoCo) based on the new European Union Data Protection Regulation is underway and the current version will be used until it arrives. The new updated CoCo should be a Code of Conduct as described in GDPR and therefore the update takes longer than expected. The current version of CoCo is based on the same spirit as GDPR, i.e. the Charter of Fundamental Rights of the European Union. |
CoCo is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around Europe. The CoCo makes it possible to automatically release mostly harmless attributes to Service Providers which fulfil the EU Data Protection legislation. The expected Identity Provider behaviour is to release the Service Provider required attributes if the IdP is able to. Required attributes means attributes the service must have to be able to work for the user. However it's possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes. The required CoCo is used in the eduGAIN interfederation to make services available to users of European higher education institutions. The CoCo makes it possible to automatically release mostly harmless attributes to Service Providers which fulfill the EU Data Protection Directive. The expected IdP behaviour is to release the Service Provider required subset of the attributes eptid, eppn, mail, displayName, scoped affiliation and schacHomeOrganization. The required subset of attributes for a specific service is defined in the the service metadata and must be described in the mandatory Service Provider Privacy Policy. There is furthermore an identity provider entity support category that should be registered for all IdP that supports the R&S Category Identity Provider that supports the CoCo entity category that can be used for filter purpose in a discovery service.
...
- Purpose and scope of the service.
- A list off the required subset from CoCo Category Attributesattributes that the service needs
- Documentation which proves that the service has fulfilled all the requirements for CoCo.
...