e

For a suggestion an example on how to consume and process this information in an Identity Provider look at the page Example of a standard attribute filter for Shibboleth IdP v3.4.0 and above.

REFEDS Research and Scholarship

...

entity-category URI

...

http://refeds.org/category/research-and-scholarship

...

R&S is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around the world. The R&S makes it possible to automatically release mostly harmless attributes to Service Providers within the higher educational sector.

The expected IdP behaviour is to release to the Service Provider a set of R&S Category Attributes (eptid, eppn, email, displayName, surname, given name and scoped affiliation plus the SWAMID addons eduPersonUniqueID and eduPersonAssurance). Service Providers signals their use of R&S via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the R&S entity category and this can be used for filter purpose in a discovery service.

Example of services that uses the entity category includes (but are not limited to) collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. This Entity Category should not be used for access to licensed content such as e-journals.

For REFEDS Research and Scholarship there is no formal requirement that the service shall publish a public Privacy Policy. However it's recommended that all services that are registered in SWAMID have a Privacy Policy to inform end users about how personal data are processed. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for the last section.

Expected attribute release from an Identity Provider

ADFS Toolkit support the use of entity categories.

Attribute release comparison between REFEDS Entity Categories with fixed attribute bundles

REFEDS (the Research and Education FEDerations group) is the standard organisation within the academic identity federation community. To enable, simplify and minimalize attribute release from Identity Providers to Service Providers SWAMID uses entity categories. A service should never ask for more attributes that they need for delivering the service to the end user. Based on this assumption REFEDS has created three new hierarchal entity categories where:

• Anonymous Access is for services that don't need any personalized information,
• Pseudonymous Access is for services that support personalization between sessions but don't have any need of personal identifiable information, and
• Personalized Access is for services that need personal identifiable information.

You should never use more than one of these entity categories for the same service due to undefined behaviour. SWAMID recommends all Identity Providers to only release attribute for the most data minimalistic entity category, i.e. if a Service Provider asks for Pseudonymous Access and Personalized Access the service will get the attribute for Pseudonymous Access.

The entity category Research and Scholarship (R&S) is more or less the same as Personalized Access but have more restricted use cases and another set of identifiers.

The entity category European Student Identifier is a category to primary support student exchange programs like Erasmus+. This entity category only supports one value in one specific attribute and expected to be used together with other entity categories, for example Personalized Access.

For services that needs other attributes than supported by the fixed attribute bundles the entity category REFEDS Data Protection Code of Conduct, and the older GÉANT Data Protection Code of Conduct, is recommended.

REFEDS Anonymous Access Entity Category

The Anonymous Access Entity Category is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around the world. The entity category makes it possible to automatically release a set of mostly harmless attributes to Service Providers registered in the academic federations.

The expected Identity Provider behaviour is to release to the Service Provider a predefined set of attributes. Service Providers signals their need of Anonymous Access Entity Category via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the Anonymous Access Entity Category.

Expected attribute release from an Identity Provider

Process for applying for tagging a service with entity category

...

REFEDS Anonymous Access Entity Category

For a service to be tagged with REFEDS Research and Scholarship (R&S) Anonymous Access Entity Category it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeksupdates the service metadata in the SWAMID Metadata Tool.

The request must besides the metadata update contain the following administrative information:

• Purpose and scope of the service.
• Documentation which proves that the service has fulfilled all the requirements for R&S if it's not defined by purpose and scope of the service.

The request must contain the following information for metadata publication:

The entity category has the following metadata requirements:

• Well functional SAML2 metadata for the service with an Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.
• Display name for the Service in English and preferable also in Swedish and English for use in Identity Providers' login pages and Discovery Services.
• Short description of the Service in Swedish and English for use in Identity Providers login pages and Discovery Services.
• Mail address to the technical and/or support contact for the service.
• Organisation name of the organisation delivering the service
• URL to an informational web page that describes the service in English and preferable also in Swedish.
• At least one of the administrative, technical and support contact for the service and it's recommended that security contact is also givenURL to the organisation delivering the service.

The request is highly recommended to also have the following information for metadata publication:

• URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.
• URL to a web page with the service privacy policy in English and maybe Swedish.
• URL to a informational web page that describes the service in English and probably in Swedish.
• URL to a web page with the service privacy policy in English and probably Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. Please remove the section about GÉANT Dataprotection Code of Conduct if you use the Privacy Policy Tamplate.

Besides the formal requirements and recommendations of REFEDS R&S it is highly recommended that the service also adheres to the REFEDS Security Incident Besides the formal requirements and recommendations of REFEDS Anonymous Access Entity Category are Service Providers it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

...

REFEDS Pseudonymous Access Entity Category

The Pseudonymous Access Entity Category is used both within SWAMID and in the eduGAIN interfederation CoCo is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher the higher education institutions in Sweden and around Europethe world. The CoCo entity category makes it possible to automatically release a set of mostly harmless attributes to Service Providers which fulfil the EU Data Protection legislation. registered in the academic federations.

The expected Identity Provider behaviour is to release the Service Provider required attributes if the IdP is able to. Required attributes means attributes the service must have to be able to work for the user. However it's possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes. The required attributes for a specific service is defined in the the service metadata and must be described in the mandatory Service Provider Privacy Policy. There release to the Service Provider a predefined set of attributes. Service Providers signals their need of Pseudonymous Access Entity Category via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Provider that supports the CoCo entity category that can be used for filter purpose in a discovery service.

Providers that supports the Pseudonymous Access Entity Category.

For REFEDS Pseudonymous Access Entity Category there is a formal requirement that the service shall publish a public Privacy Policy. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for the requirement for mention the GÉANT Data Protection Code of Conduct.

Expected attribute release from an Identity Provider

...

Attribute(s)	SAML2 Attribute Identifier	Comment

eduPersonTargetedID

samlPairwiseID	urn:oasis:names:tc:SAML:attribute:pairwise-id
eduPersonAssurance	urn:oid:1.3.6.1.4.1.5923.1.1.1.

10

11

eduPersonPrincipalName

eduPersonScopedAffiliation	urn:oid:1.3.6.1.4.1.5923.1.1.1.

6

9

eduPersonUniqueID

schacHomeOrganization	urn:oid:1.3.6.1.4.1.

5923

25178.1.

1

2.

1.13

eduPersonUniqueID is a long term unique identifier that will not be reused by the Identity Provider. It may be the same value as eduPersonPrincipalName if that attribute is non-re-assignable.

eduPersonOrcidurn:oid:1.3.6.1.4.1.5923.1.1.1.16norEduPersonNINurn:oid:1.3.6.1.4.1.2428.90.1.5

This attribute is for students systems that needs to be synchronised with the the student documentations system directly or indirectly. Within SWAMID norEduPersonNIN can besides Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system.

SWAMID Identity Providers only release this attribute to services registered in SWAMID.

personalIdentityNumberurn:oid:1.2.752.29.4.13

Within SWAMID personalIdentityNumber only contain Swedish Personal Numbers or Swedish Co-ordination Numbers.

SWAMID Identity Providers only release this attribute to services registered in SWAMID.

schacDateOfBirthurn:oid:1.3.6.1.4.1.25178.1.2.3mailurn:oid:0.9.2342.19200300.100.1.3Can be more than one address released but Identity Providers are recommended to release only one.displayName

urn:oid:2.16.840.1.113730.3.1.241

givenNameurn:oid:2.5.4.42sn (surname)urn:oid:2.5.4.4cn (commonName)urn:oid:2.5.4.3Due to that cn is use for different things in different in different identity management systems it's highly recommended to use the attribute displayName instead.eduPersonAssuranceurn:oid:1.3.6.1.4.1.5923.1.1.1.11Services shall only expect this attribute to be available from Identity Providers within SWAMID.eduPersonScopedAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.9eduPersonAffiliationurn:oid:1.3.6.1.4.1.5923.1.1.1.1Due to eduPersonAffiliations non domain scoped nature it's highly recommended to use the attribute eduPersonScopedAffiliation instead.o (organizationName)urn:oid:2.5.4.10This attribute is also be available as an metadata attribute.norEduOrgAcronymurn:oid:1.3.6.1.4.1.2428.90.1.6c (countryName)urn:oid:2.5.4.6

9

Process for applying for tagging a service with entity category REFEDS Pseudonymous Access Entity Category

For a service to be tagged with REFEDS Pseudonymous Access Entity Category it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator updates the service metadata in the SWAMID Metadata Tool.

The request must besides the metadata update contain the following administrative information:

• Purpose and scope of the service.
• Documentation which proves that the service has fulfilled all the requirements for REFEDS Pseudonymous Access Entity Category if it isn't defined by purpose and scope of the service.
  • The service has a proven and documented need for the pseudonymous information that forms the attribute bundle for this entity category.
  • The Service Provider has committed to data minimisation and will not use the attributes for purposes other than as described in their application.

The entity category has the following metadata requirements:

• Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.
• Display name for the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
• URL to an informational web page that describes the service in English and preferable also in Swedish.
• URL to a web page with the service privacy policy in English and preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template.
• At least one of the administrative, technical and support contact for the service and it's recommended that security contact is also given.

The request is highly recommended to also have the following information for metadata publication:

• URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.

Besides the formal requirements and recommendations of REFEDS Pseudonymous Access Entity Category are Service Providers it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

REFEDS Personalized Access Entity Category

The Personalized Access Entity Category is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around the world. The entity category makes it possible to automatically release a set of mostly harmless attributes to Service Providers registered in the academic federations.

The expected Identity Provider behaviour is to release to the Service Provider a predefined set of attributes. Service Providers signals their need of Personalized Access Entity Category via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the Personalized Access Entity Category.

For REFEDS Personalized Access Entity Category there is a formal requirement that the service shall publish a public Privacy Policy. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for the requirement for mention the GÉANT Data Protection Code of Conduct.

Expected attribute release from an Identity Provider

Process for applying for tagging a service with entity category GÉANT Dataprotection Code of Conduct

Process for applying for tagging a service with entity category REFEDS Personalized Access Entity Category

For a service to be tagged with REFEDS Personalized Access Entity Category it must contact For a service to be tagged with GÉANT Dataprotection Code of Conduct it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeksupdates the service metadata in the SWAMID Metadata Tool.

The request must besides the metadata update contain the following administrative information:

• Purpose and scope of the service.
• A list off the required attributes that the service needs to function. It's possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes.
• Documentation which proves that the service has fulfilled all the requirements for CoCo and lawfullness of processing as described in GDPR Article 6 for REFEDS Personalized Access Entity Category if it isn's not t defined by purpose and scope of the service.
  • The service has a proven and documented need for the personally identifiable information that forms the attribute bundle for this entity category.
  • The Service Provider has committed to data minimisation and will not use the attributes for purposes other than as described in their application.

The entity category has the following metadata requirements request must contain the following information for metadata publication:

• Well functional SAML2 metadata for the service with an entityid in URL-form .
• Display name for the Service in Swedish and English for use in Identity Providers login pages and Discovery Services.
• as described in the SWAMID SAML WebSSO Technology Profile.
• Display name for the Service in English and preferable also in Swedish Short description of the Service in Swedish and English for use in Identity Providers' login pages and pages and Discovery Services.
• Mail address to the technical and/or support contact for the service.
• Organisation name of the organisation delivering the service
• URL to the organisation delivering the serviceURL to an informational web page that describes the service in English and preferable also in Swedish.
• URL to a web page with the service privacy policy in English and maybe preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. The privacy policy must at least contain:
  
  • the name, address and jurisdiction of the Service Provider;
  • the purpose or purposes of the processing of the Attributes;
  • a description of the Attributes being processed;
  • the third party recipients or categories of third party recipient to whom he Attributes might be disclosed, and proposed transfers of Attributes to countries outside of the European Economic Area;
  • the existence of the rights to access, rectify and delete the Attributes held about the End User;
  • the retention period of the Attributes; and
  • a reference to this Code of Conduct including the formal reference URL http://www.geant.net/uri/dataprotection-code-of-conduct/v1.

The request is highly recommended to also have the following information for metadata publication:

• URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.
• URL to a informational web page that describes the service in English and probably in Swedish.

Besides the formal requirements and recommendations of GÉANT Dataprotection Code of Conduct it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi). SIRTFI will be mandatory in the next version of this code of conduct.

Release without any recognised Entity Categories

Most Identity Providers within SWAMID sends no attributes when a service is not marked any entity category.

------------------------------------------------------------------------------

SWAMID entity categories under process to be deprecated

SWAMID Service Provider Attribute Release Entity Categories (deprecated 2020-09-01 with transitional use until 2021-03-31)

These categories define the release of mostly harmless personal attributes to a Service Provider (SP) from a Identity Provider (IdP). It is used together with SWAMID Data Protection Entity Categories below.

...

Category

...

Description

...

research-and-education

...

SP is an application that directly or indirectly supports HEI institutions.

...

sfs-1993-1153

...

SP is an application that fulfills SFS 1993:1153

• At least one of the administrative, technical and support contact for the service and it's recommended that security contact is also given.

The request is highly recommended to also have the following information for metadata publication:

• URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.

Besides the formal requirements and recommendations of REFEDS Personalized Access Entity Category are Service Providers it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

REFEDS Research and Scholarship (R&S)

R&S is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around the world. The R&S makes it possible to automatically release mostly harmless attributes to Service Providers within the higher educational sector.

The expected IdP behaviour is to release to the Service Provider a predefined set of R&S Category Attributes. Service Providers signals their need of R&S via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the R&S entity category and this can be used for filter purpose in a discovery service.

Example of services that uses the entity category includes (but are not limited to) collaborative tools and services such as wikis, blogs, project and grant management tools that require some personal information about users to work effectively. This Entity Category should not be used for access to licensed content such as e-journals.

For REFEDS Research and Scholarship there is no formal requirement that the service shall publish a public Privacy Policy. However all services that are registered in SWAMID must have a Privacy Policy to inform end users about how personal data are processed. SWAMID have published a Service Provider Privacy Policy Template for GÉANT Data Protection Code of Conduct that can be used except for mention the GÉANT Data Protection Code of Conduct.

Expected attribute release from an Identity Provider

Process for applying for tagging a service with entity category REFEDS Research and Scholarship

For a service to be tagged with REFEDS Research and Scholarship (R&S) it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator updates the service metadata in the SWAMID Metadata Tool.

The request must besides the metadata update contain the following administrative information:

• Purpose and scope of the service.
• Documentation which proves that the service has fulfilled all the requirements for R&S if it's not defined by purpose and scope of the service:
  • The service enhances the research and scholarship activities of some subset of the user community.
  • The Service Provider is a production SAML deployment that supports SAML V2.0 HTTP-POST binding.
  • The Service Provider claims to refresh federation metadata at least daily.

Unless the following is already published in current service metadata, the metadata update request must contain:

• Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.
• Display name for the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
• Technical contact for the service and it's recommended that administrative, support and security contact is also given.
• URL to an informational web page that describes the service in English and preferable also in Swedish.
• URL to a web page with the service privacy policy in English and preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template (specific for SWAMID).
• The Service Provider is a production SAML deployment that supports SAML V2.0 HTTP-POST binding.

The request is highly recommended to also have the following information for metadata publication:

• URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.

Besides the formal requirements and recommendations of REFEDS R&S it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

REFEDS Data Protection Code of Conduct (CoCo v2)

REFEDS Data Protection Code of Conduct entity category is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around Europe. The entity category makes it possible to automatically release mostly harmless attributes to Service Providers in the spririt of the EU Data Protection legislation. The expected Identity Provider behaviour is to release the Service Provider required attributes if the IdP is able to. Required attributes means attributes the service must have to be able to work for the user. However it's possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes. The required attributes for a specific service is defined in the the service metadata and must be described in the mandatory Service Provider Privacy Policy. There is furthermore an identity provider entity support category that should be registered for all Identity Provider that supports the REFEDS Data Protection Code of Conduct entity category that can be used for filter purpose in a discovery service.

Expected attribute availability from an Identity Provider for attributes required by indication in metadata

Multivalued attributes that have different values for different services shall not be requested via metadata, examples of such attributes are eduPersonEntitlement, norEduPersonLIN and schacPersonalUniqueCode. The reason for this is that an Identity Provider may unintensional release sensitive information to services that are not eligable for these values. SWAMID recommends member Identity Providers to not release this type of attributes based on reqeusted attributes in metadata.

Process for applying for tagging a service with entity category REFEDS Data Protection Code of Conduct

For a service to be tagged with REFEDS Data Protection Code of Conduct it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator updates the service metadata in the SWAMID Metadata Tool.

The request must besides the metadata update contain the following administrative information:

• Purpose and scope of the service.
• Documentation which proves that the service has fulfilled all the requirements for CoCo and lawfullness of processing as described in GDPR if it's not defined by purpose and scope of the service:
  • the grounds under which the Service Provider supports transfer of data as either:
    • Operating in a country within the European Union or European Economic Area or a country, territory, sector or international Organisation with an adequacy decision pursuant to GDPR Article 45, and
    • Using appropriate safeguards pursuant to GDPR Article 46 and committed to only receiving data from organisations where safeguards have been agreed.
  • that the service has committed to theREFEDS/GÉANT Data Protection Code of Conduct,
  • that it informs the Registrar about any material changes that may influence their ability to commit to the REFEDS/GÉANTData Protection Code of Conduct
• A list of the required attributes that the service needs to function (the list is also required in the privacy policy of the service). It is possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes.

Unless the following is already published in current service metadata, the metadata update request must contain:

• Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.
• Display name for the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
• Short description of the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
• A list of required attributes of the Service.
• Administrative contact for the service and it's recommended that technical, support and security contact is also given.
• URL to a publicly accessible web page (not a pdf document) with the service privacy policy in English and preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. The privacy policy must at least contain:
  
  • the name, address and jurisdiction of the Service Provider;
  • the purpose or purposes of the processing of the Attributes;
  • a description of the Attributes being processed;
  • the third party recipients or categories of third party recipient to whom he Attributes might be disclosed, and proposed transfers of Attributes to countries outside of the European Economic Area;
  • the existence of the rights to access, rectify and delete the Attributes held about the End User; and
  • the retention period of the Attributes.

It's also a highly recommended that the service adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

GÉANT Data Protection Code of Conduct (CoCo v1)

GÉANT Data Protection Code of Conduct entity category is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around Europe. The entity category makes it possible to automatically release mostly harmless attributes to Service Providers in the spririt of the EU Data Protection legislation. The expected Identity Provider behaviour is to release the Service Provider required attributes if the IdP is able to. Required attributes means attributes the service must have to be able to work for the user. However it's possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes. The required attributes for a specific service is defined in the the service metadata and must be described in the mandatory Service Provider Privacy Policy. There is furthermore an identity provider entity support category that should be registered for all Identity Provider that supports the GÉANT Data Protection Code of Conduct entity category that can be used for filter purpose in a discovery service.

Expected attribute availability from an Identity Provider for attributes required by indication in metadata

SWAMID Research & Education (deprecated 2020-09-01 with transitional use until 2021-03-31)

...

entity-category URI

...

http://www.swamid.se/category/research-and-education

...

For instance, a service that provides tools for both multi-institutional research collaboration and instruction is eligible as a candidate for this category. This category is very similar to InCommons Research & Scolarship Category. The expected IdP behaviour is to release name, eppn, eptid, mail and eduPersonScopedAffiliation only if the services is also in at least one of the safe data processing categories. It is also recommended that static organisational information is released. If the Identity Provider home organisation has fulfilled the requirements for SWAMID Assurance Profiles eduPersonAssurance should also be released.

Expected attribute release when paired with a SWAMID Data Protection Entity Category

Process for applying for tagging a service with entity category Research & Education

The service operator sends an e-mail to operations@swamid.se with a formal request.

The request must contain the following information:

• Purpose and scope of the service.
• Valid SWAMID Data Protection Entity Category, i.e. what type of organisation is legally responsible for the Service. The options are defined below (HEI Service, NREN Service or EU Adequate Protection).

Upon receiving a request SWAMID operations will respond within two weeks.

SWAMID SFS 1993:1153 (deprecated 2020-09-01 with transitional use until 2021-03-31)

...

entity-category URI

...

http://www.swamid.se/category/sfs-1993-1153

...

The entity category is intended for common government operated student admissions and achieved learning administration services such as NyA and LADOK as well as services for student account enrollment, course registration and learning progression processes at universities and university colleges.

Inclusion in this category is strictly reserved for services that fulfill SFS 1993:1153 which implies that the application may make use of norEduPersonNIN, i.e. the Swedish Personal identity number, the Swedish Co-ordination number or the Higher education personal interim identity number. The expected IdP behavior is to release norEduPersonNIN. If the Identity Provider home organisation has fulfilled the requirements for SWAMID Assurance Profiles eduPersonAssurance should also be released.

Examples of services that are viable for this entity category is a course registration self service and a student account creation service, a learning progression registration service and an internship administration self service.

Expected attribute release

...

Multivalued attributes that have different values for different services shall not be requested via metadata, examples of such attributes are eduPersonEntitlement, norEduPersonLIN and schacPersonalUniqueCode. The reason for this is that an Identity Provider may unintensional release sensitive information to services that are not eligable for these values. SWAMID recommends member Identity Providers to not release this type of attributes based on reqeusted attributes in metadata.

Process for applying for tagging a service with entity category GÉANT Data Protection Code of Conduct

For a service to be tagged with GÉANT Data Protection Code of Conduct it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator updates the service metadata in the SWAMID Metadata Tool.

The request must besides the metadata update contain the following administrative information:

• Purpose and scope of the service.
• Documentation which proves that the service has fulfilled all the requirements for CoCo and lawfullness of processing as described in GDPR if it's not defined by purpose and scope of the service:
  • the grounds under which the Service Provider supports transfer of data as either:
    • Operating in a country within the European Union or European Economic Area or a country, territory, sector or international Organisation with an adequacy decision pursuant to GDPR Article 45, and
    • Using appropriate safeguards pursuant to GDPR Article 46 and committed to only receiving data from organisations where safeguards have been agreed.
  • that the service has committed to theREFEDS/GÉANT Data Protection Code of Conduct,
  • that it informs the Registrar about any material changes that may influence their ability to commit to the REFEDS/GÉANTData Protection Code of Conduct
• A list of the required attributes that the service needs to function (the list is also required in the privacy policy of the service). It is possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes.

Unless the following is already published in current service metadata, the metadata update request must contain:

• Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.
• Display name for the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
• Short description of the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
• A list of required attributes of the Service.
• Administrative contact for the service and it's recommended that technical, support and security contact is also given.
• URL to a publicly accessible web page (not a pdf document) with the service privacy policy in English and preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. The privacy policy must at least contain:
  
  • the name, address and jurisdiction of the Service Provider;
  • the purpose or purposes of the processing of the Attributes;
  • a description of the Attributes being processed;
  • the third party recipients or categories of third party recipient to whom he Attributes might be disclosed, and proposed transfers of Attributes to countries outside of the European Economic Area;
  • the existence of the rights to access, rectify and delete the Attributes held about the End User;
  • the retention period of the Attributes; and
  • a reference to this Code of Conduct including the formal reference URL http://www.geant.net/uri/dataprotection-code-of-conduct/v1.

It's also a highly recommended that the service adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

European Student Identifier Entity Category

The European Student Identifier Entity Category is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around Europe. The entity category makes it possible to automatically release the European Student Identifier as defined at https://wiki.geant.org/display/SM/European+Student+Identifier.

The expected Identity Provider behaviour for universites and university colleges is to release to the Service Provider the European Student Identifier. Service Providers signals their need of European Student Identifier via an entity category tag in metadata. There is furthermore an identity provider entity support category that should be registered for all Identity Providers that supports the European Student Identifier Entity Category.

Expected attribute release from an Identity Provider

Process for applying for tagging a service with entity category European Student Identifier Entity Category

For a service to be tagged with European Student Identifier Entity Category it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator updates the service metadata in the SWAMID Metadata Tool.

The request must besides the metadata update contain the following administrative information:

• Purpose and scope of the service.
• Description on fulfillment of the eligible criteria for the ESI Entity Category:
  • Student Mobility Services directly enabling mobility, for example, the Erasmus+ programme.
  • Services that transfer student records or transcripts of records between educational institutions and which need to identify the students to which the records belong to.

  • University Alliances scenarios where students’ records are shared across (some of) the universities of the Alliance.
    Formal learning and teaching activities and/or the administrative activities related to those within an institution, for example, Learning Management Systems and remote e-assessment tools.

The entity category has the following metadata requirements:

• Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.

The request is highly recommended to also have the following information for metadata publication:

• URL beginning with https to the service logotype for use in Identity Providers login pages and Discovery Services.

Besides the formal requirements and recommendations of European Student Identifier Entity Category are Service Providers it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).

Release without any recognised Entity Categories

Most Identity Providers within SWAMID release no attributes to a service when it is not marked with the entity categories above

Process for applying for tagging a service with entity category SFS 1993:1153

The service operator sends an e-mail to operations@swamid.se with a formal request.

The request must contain the following information:

• Purpose and scope of the service.
• Full description of why norEduPersonNIN is needed in the service.

Upon receiving a request SWAMID operations will evaluate against the Swedish legislation SFS 1993:1153 (2 kap. 6 § and 4 kap. 4 §). SWAMID operations will normally respond within two weeks. If the evaluation is positive SWAMID operations will add the requested entity category to the service metadata.

SWAMID Data Protection Entity Categories (deprecated 2020-09-01 with transitional use until 2021-03-31)

These categories indicate category classifaction of Identity Providers (IdP) that can release mostly harmless personal attributes to a Service Provider (SP) in conjunction with the Swedish Personal Data Act (PUL). It is used together with the Research & Education Entity Category above.

SWAMID HEI Service (deprecated 2020-09-01 with transitional use until 2021-03-31)

...

entity-category URI

...

http://www.swamid.se/category/hei-service

...

This category is only relevant for attribute release from SWAMID registered IdPs to services at Swedish universities, Swedish university colleges and the Swedish Council for Higher Education.

SWAMID NREN Service (deprecated 2020-09-01 with transitional use until 2021-03-31)

...

entity-category URI

...

http://www.swamid.se/category/nren-service

...

This category is only relevant for attribute release from SWAMID registered IdPs to SUNET services.

SWAMID EU Adequate Protection (deprecated 2020-09-01 with transitional use until 2021-03-31)

...

entity-category URI

...

http://www.swamid.se/category/eu-adequate-protection

...

The application is compliant with either

...

.