...
| Info |
|---|
This is a set of entity categories in use by SWAMID. Entity categories for SAML is defined by REFEDS in the RFC8409 specification. |
| Table of Contents | ||
|---|---|---|
|
For an example on how to consume and process this information in an Identity Provider look at the page Example of a standard attribute filter for Shibboleth IdP v3.4.0 and above. ADFS Toolkit support the use of entity categories.
...
The entity category European Student Identifier is a category to primary support student exchange programs like Erasmus+. This entity category only supports one value in on one specific attribute and expected to be used together with other entity categories, for example Personalized Access.
...
| Anonymous Access | Pseudonymous Access | Personalized Access | Research and Scholarship (R&S) | |
|---|---|---|---|---|
| Organisation | eduPersonScopedAffiliation schacHomeOrganization | eduPersonScopedAffiliation schacHomeOrganization | eduPersonScopedAffiliation schacHomeOrganization | eduPersonScopedAffiliation (optional) |
| User identifier | samlPairwiseID | samlSubjectID | eduPersonPrincipalName (if non-reassigned) eduPersonPrincipalName + eduPersonTargetedID (not used within SWAMID) | |
| Assurance | eduPersonAssurance | eduPersonAssurance | eduPersonAssurance (only within SWAMID) | |
| Person name | displayName givenName sn | displayName or givenName + sn | ||
| Email address |
...
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 |
Process for applying for tagging a service with entity category REFEDS Anonymous Access Entity Category
...
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| samlPairwiseID | urn:oasis:names:tc:SAML:attribute:pairwise-id | |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 |
Process for applying for tagging a service with entity category REFEDS Pseudonymous Access Entity Category
...
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| samlSubjectID | urn:oasis:names:tc:SAML:attribute:subject-id | |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | |
| givenName | urn:oid:2.5.4.42 | |
| sn | urn:oid:2.5.4.4 | |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 |
Process for applying for tagging a service with entity category REFEDS Personalized Access Entity Category
...
Besides the formal requirements and recommendations of REFEDS Personalized Access Entity Category are Service Providers it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).
...
REFEDS Research and Scholarship (R&S)
entity-category URI |
|---|
...
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | Should only be released by the Identity Provider if eduPersonPrincipalName is re-assignable to another user. Within SWAMID reassignment of the eduPersonPrincipalName is not allowed and therefore this attribute will not be released from Identity Providers within SWAMID. |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| displayName and/or givenName and sn | urn:oid:2.16.840.1.113730.3.1.241 | A user's name can be released in different ways and it's expected that the Service Provider can handle this. |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Local addon within SWAMID. Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
Process for applying for tagging a service with entity category REFEDS Research and Scholarship
For a service to be tagged with REFEDS Research and Scholarship (R&S) it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeksupdates the service metadata in the SWAMID Metadata Tool.
The request must besides the metadata update contain the following administrative information:
...
Besides the formal requirements and recommendations of REFEDS R&S it is highly recommended that the service also adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).
REFEDS
...
Data Protection Code of Conduct (CoCo v2)
entity-category URI | https://refeds.org/category/code-of-conduct/v2 andhttp://www.geant.net/uri/dataprotection-code-of-conduct/v1 |
|---|
| Info | ||
|---|---|---|
| ||
The REFEDS Data protection Code of Conduct (CoCo v2) entity category defines an approach at a European level to meet the requirements of the European General European General Data Protection Regulation (GDPR) for for releasing mostly harmless personal attributes to a Service Provider (SP) from an Identity Provider (IdP). For more information please see REFEDS Data Protection Code of Conduct. |
REFEDS Data Protection Code of Conduct entity category is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher education institutions in Sweden and around Europe. The entity category makes it possible to automatically release mostly harmless attributes to Service Providers in the spririt of the EU Data Protection legislation. The expected Identity Provider behaviour is to release the Service Provider required attributes if the IdP is able to. Required attributes means attributes the service must have to be able to work for the user. However it's possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes. The required attributes for a specific service is defined in the the service metadata and must be described in the mandatory Service Provider Privacy Policy. There is furthermore an identity provider entity support category that should be registered for all Identity Provider that supports the REFEDS Data Protection Code of Conduct entity category that can be used for filter purpose in a discovery service.
Expected attribute availability from an Identity Provider for attributes required by indication in metadata
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| samlPairwiseID | urn:oasis:names:tc:SAML:attribute:pairwise-id | |
| eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | This attribute is deprecated! |
| samlSubjectID | urn:oasis:names:tc:SAML:attribute:subject-id | |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
| eduPersonOrcid | urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | |
| norEduPersonNIN | urn:oid:1.3.6.1.4.1.2428.90.1.5 | This attribute is for students systems that needs to be synchronised with the the student documentations system directly or indirectly. Within SWAMID norEduPersonNIN can besides Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system. SWAMID Identity Providers only release this attribute to services registered in SWAMID. |
| personalIdentityNumber | urn:oid:1.2.752.29.4.13 | Within SWAMID personalIdentityNumber only contain Swedish Personal Numbers or Swedish Co-ordination Numbers. SWAMID Identity Providers only release this attribute to services registered in SWAMID. |
| schacDateOfBirth | urn:oid:1.3.6.1.4.1.25178.1.2.3 | |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | |
| givenName | urn:oid:2.5.4.42 | |
| sn (aka surname) | urn:oid:2.5.4.4 | |
| norEduPersonLegalName | urn:oid:1.3.6.1.4.1.2428.90.1.10 | The full legal name from the population registry or from official travel documents defined in ICAO 9306, i.e. passports and European national identity cards. |
| cn (aka commonName) | urn:oid:2.5.4.3 | Due to that cn is use for different things in different identity management systems it's highly recommended to use the attribute displayName instead. |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. | |
| mailLocalAddress | urn:oid:2.16.840.1.113730.3.1.13 | For services that need to get all active mail aliases for the user. For example to process mail invite flows correctly when the given mail address is not the primary for the user. mailLocalAddress is used as a multi-valued attribute with all active mail alises for the user. |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | Due to eduPersonAffiliations non domain scoped nature it's highly recommended to use the attribute eduPersonScopedAffiliation instead. |
| o (aka organizationName) | urn:oid:2.5.4.10 | This attribute is also be available as an metadata attribute. |
| norEduOrgAcronym | urn:oid:1.3.6.1.4.1.2428.90.1.6 | |
| c (aka countryName) | urn:oid:2.5.4.6 | |
| co (aka friendlyCountryName) | urn:oid:0.9.2342.19200300.100.1.43 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 | |
| schacHomeOrganizationType | urn:oid:1.3.6.1.4.1.25178.1.2.10 |
Multivalued attributes that have different values for different services shall not be requested via metadata, examples of such attributes are eduPersonEntitlement, norEduPersonLIN and schacPersonalUniqueCode. The reason for this is that an Identity Provider may unintensional release sensitive information to services that are not eligable for these values. SWAMID recommends member Identity Providers to not release this type of attributes based on reqeusted attributes in metadata.
Process for applying for tagging a service with entity category REFEDS Data Protection Code of Conduct
For a service to be tagged with REFEDS Data Protection Code of Conduct it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator updates the service metadata in the SWAMID Metadata Tool.
The request must besides the metadata update contain the following administrative information:
- Purpose and scope of the service.
- Documentation which proves that the service has fulfilled all the requirements for CoCo and lawfullness of processing as described in GDPR if it's not defined by purpose and scope of the service:
- the grounds under which the Service Provider supports transfer of data as either:
- Operating in a country within the European Union or European Economic Area or a country, territory, sector or international Organisation with an adequacy decision pursuant to GDPR Article 45, and
- Using appropriate safeguards pursuant to GDPR Article 46 and committed to only receiving data from organisations where safeguards have been agreed.
- that the service has committed to theREFEDS/GÉANT Data Protection Code of Conduct,
- that it informs the Registrar about any material changes that may influence their ability to commit to the REFEDS/GÉANTData Protection Code of Conduct
- the grounds under which the Service Provider supports transfer of data as either:
- A list of the required attributes that the service needs to function (the list is also required in the privacy policy of the service). It is possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes.
Unless the following is already published in current service metadata, the metadata update request must contain:
- Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.
- Display name for the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
- Short description of the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
- A list of required attributes of the Service.
- Administrative contact for the service and it's recommended that technical, support and security contact is also given.
- URL to a publicly accessible web page (not a pdf document) with the service privacy policy in English and preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. The privacy policy must at least contain:
- the name, address and jurisdiction of the Service Provider;
- the purpose or purposes of the processing of the Attributes;
- a description of the Attributes being processed;
- the third party recipients or categories of third party recipient to whom he Attributes might be disclosed, and proposed transfers of Attributes to countries outside of the European Economic Area;
- the existence of the rights to access, rectify and delete the Attributes held about the End User; and
- the retention period of the Attributes.
It's also a highly recommended that the service adheres to the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi).
GÉANT Data Protection Code of Conduct (CoCo v1)
entity-category URI |
|---|
| Info | ||
|---|---|---|
| ||
The The earlier GÉANT Data protection Code of Conduct (CoCo v1) defines an approach at a European level to meet the requirements of the European Union Data Protection Directive. The Data Protection Directive has been superseded by General Data Protection Regulation (GDPR) and therefore GDPR must be taken into account for CoCo v1. CoCo v1 the entity category. GÉANT Data Protection Code of Conduct is in the same spirit as GDPR, i.e. the Charter of Fundamental Rights of the European Union. For more information please see GEANT Data Protection Code of Conduct. CoCo v1 GÉANT Data Protection Code of Conduct is superseded by REFEDS Data Protection Code of Conduct but will will exist in parallell with CoCo v2 the new entity category for an extended time and therefore we recommend all services that uses CoCo v2 to also declare CoCo v1 and the other way around. |
CoCo GÉANT Data Protection Code of Conduct entity category is used both within SWAMID and in the eduGAIN interfederation to make services available to users of the higher the higher education institutions in Sweden and around Europe. The CoCo entity category makes it possible to automatically release mostly harmless attributes to Service Providers which fulfil in the spririt of the EU Data Protection legislation. The expected Identity Provider behaviour is to release the Service Provider required release the Service Provider required attributes if the IdP is able to. Required attributes means attributes the service must have to be able to work for the user. However it's possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes. The required attributes for a specific service is defined in the the service metadata and must be described in the mandatory Service Provider Privacy Policy. There There is furthermore an identity provider entity support category that should be registered for all Identity Provider that supports the CoCo Provider that supports the GÉANT Data Protection Code of Conduct entity category that can be used for filter purpose in a discovery service.
Expected attribute availability from an Identity Provider for attributes required by indication in metadata
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| samlPairwiseID | urn:oasis:names:tc:SAML:attribute:pairwise-id | |
| eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | This attribute is deprecated! |
| samlSubjectID | urn:oasis:names:tc:SAML:attribute:subject-id | |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
| eduPersonOrcid | urn:oid:1.3.6.1.4.1.5923.1.1.1.16 | |
| norEduPersonNIN | urn:oid:1.3.6.1.4.1.2428.90.1.5 | This attribute is for students systems that needs to be synchronised with the the student documentations system directly or indirectly. Within SWAMID norEduPersonNIN can besides Swedish Personal Numbers and Swedish Co-ordination Numbers also contain Interim Personal Numbers from the student documentation system Ladok and the Swedish national study enrolment system. SWAMID Identity Providers only release this attribute to services registered in SWAMID. |
| personalIdentityNumber | urn:oid:1.2.752.29.4.13 | Within SWAMID personalIdentityNumber only contain Swedish Personal Numbers or Swedish Co-ordination Numbers. SWAMID Identity Providers only release this attribute to |
services registered in SWAMID. | ||
| schacDateOfBirth | urn:oid:1.3.6.1.4.1.25178.1.2.3 | |
| displayName | urn:oid:2.16.840.1.113730.3.1.241 | |
| givenName | urn:oid:2.5.4.42 | |
| sn (aka surname) | urn:oid:2.5.4.4 | |
| norEduPersonLegalName | urn:oid:1.3.6.1.4 |
| .1.2428.90.1.10 | The full legal name from the population registry or from official travel documents defined in ICAO 9306, i.e. passports and European national identity cards. | |
| cn (aka commonName) | urn:oid:2.5.4.3 | Due to that cn is use for different things in different identity management systems it's highly recommended to use the attribute displayName instead. |
| urn:oid:0.9.2342.19200300.100.1.3 | Can be more than one address released but Identity Providers are recommended to release only one. |
| mailLocalAddress | urn:oid:2.16.840.1.113730.3.1. |
| 13 | For services that need to get all active mail aliases for the user. For example to process mail invite flows correctly when the given mail address is not the primary for the user. mailLocalAddress is used as a multi-valued attribute with all active mail alises for the user. | |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | Services shall only expect this attribute to be available from Identity Providers within SWAMID. |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | |
| eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | Due to eduPersonAffiliations non domain scoped nature it's highly recommended to use the attribute eduPersonScopedAffiliation instead. |
| o (aka organizationName) | urn:oid:2.5.4.10 | This attribute is also be available as an metadata attribute. |
| norEduOrgAcronym | urn:oid:1.3.6.1.4.1.2428.90.1.6 | |
| c (aka countryName) | urn:oid:2.5.4.6 | |
| co (aka friendlyCountryName) | urn:oid:0.9.2342.19200300.100.1.43 | |
| schacHomeOrganization | urn:oid:1.3.6.1.4.1.25178.1.2.9 | |
| schacHomeOrganizationType | urn:oid:1.3.6.1.4.1.25178.1.2.10 |
Multivalued attributes that have different values for different services shall not be requested via metadata, examples of such attributes are eduPersonEntitlement, norEduPersonLIN and schacPersonalUniqueCode. The reason for this is that an Identity Provider may unintensional release sensitive information to services that are not eligable for these values. SWAMID recommends member Identity Providers to not release this type of attributes based on reqeusted attributes in metadata.
Process for applying for tagging a service with entity category
...
GÉANT Data Protection Code of Conduct
For a service to be tagged with GÉANT Data Protection Code of Conduct it Conduct it must contact the federation that it has registered with. If the service is registered within the SWAMID federation the service operator sends an e-mail to operations@swamid.se with a formal request that contains the information below. Upon receiving the request SWAMID operations will respond within two weeksupdates the service metadata in the SWAMID Metadata Tool.
The request must besides the metadata update contain the following administrative information:
- Purpose and scope of the service.
- Documentation which proves that the service has fulfilled all the requirements for CoCo and lawfullness of processing as described in GDPR if it's not defined by purpose and scope of the service:
- the grounds under which the Service Provider supports transfer of data as either:
- Operating in a country within the European Union or European Economic Area or a country, territory, sector or international Organisation with an adequacy decision pursuant to GDPR Article 45, and
- Using appropriate safeguards pursuant to GDPR Article 46 and committed to only receiving data from organisations where safeguards have been agreed.
- that the service has committed to theREFEDS/GÉANT Data Protection Code of Conduct,
- that it informs the Registrar about any material changes that may influence their ability to commit to the REFEDS/GÉANTData Protection Code of Conduct
- the grounds under which the Service Provider supports transfer of data as either:
- A list of the required attributes that the service needs to function (the list is also required in the privacy policy of the service). It is possible to require more than one attribute of a specific type, i.e. name and identifier attributes, to increase the possibility to get the needed set of attributes.
...
- Well functional SAML2 metadata for the service with an entityid in URL-form as described in the SWAMID SAML WebSSO Technology Profile.
- Display name for the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
- Short description of the Service in English and preferable also in Swedish for use in Identity Providers' login pages and Discovery Services.
- A list of required attributes of the Service.
- Administrative contact for the service and it's recommended that technical, support and security contact is also given.
- URL to a publicly accessible web page (not a pdf document) with the service privacy policy in English and preferable also in Swedish, a privacy policy example template: SWAMID Service Provider Privacy Policy Template. The privacy policy must at least contain:
- the name, address and jurisdiction of the Service Provider;
- the purpose or purposes of the processing of the Attributes;
- a description of the Attributes being processed;
- the third party recipients or categories of third party recipient to whom he Attributes might be disclosed, and proposed transfers of Attributes to countries outside of the European Economic Area;
- the existence of the rights to access, rectify and delete the Attributes held about the End User;
- the retention period of the Attributes; and
- a reference to this Code of Conduct including the formal reference URL http://www.geant.net/uri/dataprotection-code-of-conduct/v1.
...
Expected attribute release from an Identity Provider
| Attribute(s) | SAML2 Attribute Identifier | Comment |
|---|---|---|
| schacPersonalUniqueCode | urn:oid:1.3.6.1.4.1.25178.1.2.14 | This attribute is a multi-valued attribute but the expected behaviour is that the Identity Provider only releases the ESI value |
| to the service if no other values are released by bilateral agreement. |
Process for applying for tagging a service with entity category European Student Identifier Entity Category
...